Get Custom Field Values < 4.0.1 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24871 | Plugin Vulnerabilities

Description

The plugin does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

Proof of Concept

As a contributor, create a custom field in a post, with the following payload: <script>alert(1)</script>

Then add the following shortcode to the post: [custom_field field="<custom_field_name>"]

Affects Plugins

get-custom-field-values

Fixed in 4.0.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

Verified

Yes

WPVDB ID

28007c80-dc14-4987-a52c-f2a05cfe5905

Timeline

Publicly Published

2021-11-09 (about 4 years ago)

Added

2021-11-09 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2024-04-22

Title

All-in-one Like Widget < 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2024-05-06

Title

Viet Nam Affiliate <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-11-08

Title

VP Sitemap <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-07

Title

HT Mega – Absolute Addons For Elementor < 2.8.3 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Countdown Widget

Published

2025-12-19

Title

Responsive and Swipe slider <= 1.0.2 - Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode