WordPress Plugin Vulnerabilities

Maintenance < 4.03 - Authenticated Stored XSS

Description

The plugin does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend

Proof of Concept

Affects Plugins

Plugin icon
maintenance
Fixed in 4.03

References

CVE
CVE-2021-24533

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Emil kylander
Submitter
Emil kylander
Submitter website
https://emilkylander.se
Verified
Yes
WPVDB ID
174b2119-b806-4da4-a23d-c19b552c86cb

Timeline

Publicly Published
2021-07-21 (about 4 years ago)
Added
2021-07-21 (about 4 years ago)
Last Updated
2023-01-24 (about 2 years ago)

Other

Published
Title
Published
2025-09-16
Title
Productive Style < 1.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via display_productive_breadcrumb Shortcode
Published
2020-10-05
Title
Post Grid < 2.0.73 & Team Showcase < 1.22.16 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2025-04-01
Title
Smartarget Popup <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-07-07
Title
Media Folder <= 1.0.0 - Reflected Cross-Site Scripting
Published
2025-03-24
Title
Weather Layer <= 4.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting