WordPress Plugin Vulnerabilities

Business Hours Indicator < 2.3.5 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
business-hours-indicator
Fixed in 2.3.5

References

CVE
CVE-2021-24593
URL
https://www.hackpertise.com/cve/28-cve-2021-36848/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Asif Nawaz Minhas
Submitter
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
309296d4-c397-4fc7-85fb-a28b5b5b6a8d

Timeline

Publicly Published
2021-08-02 (about 4 years ago)
Added
2021-08-02 (about 4 years ago)
Last Updated
2023-04-12 (about 2 years ago)

Other

Published
Title
Published
2024-09-25
Title
WordPress Visitors <= 1.0 - Unauthenticated Stored Cross-Site Scripting via HTTP Header
Published
2022-03-15
Title
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via post_types
Published
2025-08-17
Title
Slide Puzzle <= 1.0.0 - Reflected Cross-Site Scripting
Published
2024-11-08
Title
Testimonial Slider Shortcode <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-04-04
Title
Squelch Tabs and Accordions Shortcodes < 0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via accordions Shortcode