WordPress Plugin Vulnerabilities

FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS)

Description

The plugin, used in the theme did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
wp-foodbakery
Fixed in 2.2

Affects Themes

foodbakery
Fixed in 2.2

References

CVE
CVE-2021-24389

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Truoc Phan - Techlab Corporation
Submitter
Truoc Phan
Submitter website
https://www.facebook.com/292706121240740
Submitter twitter
truocphan
Verified
Yes
WPVDB ID
23b8b8c4-cded-4887-a021-5f3ea610213b

Timeline

Publicly Published
2021-06-14 (about 4 years ago)
Added
2021-06-14 (about 4 years ago)
Last Updated
2021-06-25 (about 4 years ago)

Other

Published
Title
Published
2024-11-08
Title
Mobile Kiosk <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-11
Title
Poll Builder <= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2012-08-08
Title
Postie 1.4.3 - Stored Cross-Site Scripting (XSS)
Published
2023-03-20
Title
Read More Without Refresh < 3.2 - Admin+ Stored Cross-Site Scripting
Published
2024-03-12
Title
Prime Slider – Addons For Elementor < 3.13.3 - Contributor+ Stored Cross-Site Scripting via Mercury Widget