Insert Pages < 3.7.0 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24850

Description

The plugin adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields.

Proof of Concept

- Create a page A
- Add a custom field containing JS in Page A
- Create page B
- add shortcode to page B: [insert page="page_A_slug" display="all"]

Affects Plugins

insert-pages

Fixed in 3.7.0

References

CVE

CVE-2021-24850

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

francecarlucci

Verified

Yes

WPVDB ID

2d6f9be0-b9fd-48e5-bd68-94eeb3822c0a

Timeline

Publicly Published

2021-10-18 (about 4 years ago)

Added

2021-10-18 (about 4 years ago)

Last Updated

2022-04-16 (about 3 years ago)

Other

Published

Title

Published

2015-05-13

Title

Syndication Links <= 1.0.2 - DOM Cross-Site Scripting (XSS)

Published

2025-09-22

Title

Last Updated Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-26

Title

OSM < 6.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes

Published

2024-08-19

Title

Tutor LMS Elementor Addons < 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Course Carousel Widget

Published

2023-01-04

Title

Pricing Tables WordPress Plugin – Easy Pricing Tables < 3.2.3 - Contributor+ Stored XSS via Shortcode