Advanced Access Manager < 6.8.0 – Admin+ Stored Cross-Site Scripting | CVE 2021-24830 | Plugin Vulnerabilities

Description

The plugin does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in any of the plugin's settings with a text input:
- v < 6.7.9 - "><script>alert(/XSS/)</script>
- v < 6.8.0 - " onfocus=alert(/XSS/)//

For example in "404 Redirect" > "Redirected to the local URL" > "The URL", "URI Access" > Create > "Enter URL" etc

The XSS will be triggered when accessing the plugin setting again

Affects Plugins

advanced-access-manager

Fixed in 6.8.0

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2616161/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Huy Nguyen

Submitter

Huy Nguyen

Submitter website

https://www.linkedin.com/in/id-laladee/

Verified

Yes

WPVDB ID

1c46373b-d43d-4d18-b0ae-3711fb0be0f9

Timeline

Publicly Published

2021-10-19 (about 4 years ago)

Added

2021-10-19 (about 4 years ago)

Last Updated

2022-04-14 (about 3 years ago)

Other

Published

Title

Published

2023-07-26

Title

Your Journey theme <= 1.9.8 - Reflected Cross-Site Scripting via Prototype Pollution

Published

2025-06-05

Title

Mediabay - WordPress Media Library Folders <= 1.4 - Reflected Cross-Site Scripting

Published

2014-10-21

Title

NEX-Forms Lite <= 2.1.0 - Stored Cross-Site Scripting (XSS)

Published

2023-10-18

Title

Bulk NoIndex & NoFollow Toolkit < 1.5 - Reflected XSS

Published

2025-12-12

Title

Enter Addons < 2.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets