WordPress Plugin Vulnerabilities

WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs.

Proof of Concept

Affects Plugins

Plugin icon
winterlock
Fixed in 1.0.21

References

CVE
CVE-2021-24756

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
wzy-ceb Attack defense
Submitter
wzy-ceb Attack defense
Verified
Yes
WPVDB ID
0cea0717-8f54-4f1c-b3ee-aff7dd91bf59

Timeline

Publicly Published
2021-11-15 (about 4 years ago)
Added
2021-11-15 (about 4 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2025-09-22
Title
Epeken All Kurir <= 2.0.6 - Shop manager+ Stored XSS
Published
2014-08-01
Title
A Forms 1.4.0 - a-forms.php a_form_initial_page Function Multiple Parameter XSS
Published
2024-04-16
Title
VikBooking Hotel Booking Engine & PMS < 1.6.8 - Reflected Cross-Site Scripting
Published
2021-07-01
Title
Leaflet Map < 3.0.0 - Contributor+ Stored XSS
Published
2023-01-03
Title
Bold Timeline Lite < 1.1.5 - Contributor+ Stored XSS via Shortcode