WordPress Plugin Vulnerabilities

Get Custom Field Values < 4.0.1 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

Proof of Concept

As a contributor, create a custom field in a post, with the following payload: <script>alert(1)</script>

Then add the following shortcode to the post: [custom_field field="<custom_field_name>"]

Affects Plugins

Plugin icon
get-custom-field-values
Fixed in 4.0.1

References

CVE
CVE-2021-24871

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Submitter
Francesco Carlucci
Submitter website
https://carluc.ci
Submitter twitter
francecarlucci
Verified
Yes
WPVDB ID
28007c80-dc14-4987-a52c-f2a05cfe5905

Timeline

Publicly Published
2021-11-09 (about 2 years ago)
Added
2021-11-09 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2016-03-28
Title
Music Store < 1.0.43 - Cross-Site Scripting (XSS)
Published
2021-09-15
Title
Compact WP Audio Player < 1.9.7 - Contributor+ Stored Cross-Site Scripting
Published
2024-01-08
Title
PageLayer < 1.8.0 - Author+ Stored XSS
Published
2022-02-14
Title
Multiple Themes - Reflected Cross-Site Scripting via Customizer Notify
Published
2022-05-09
Title
IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting