Business Hours Indicator < 2.3.5 – Admin+ Stored Cross-Site Scripting | CVE 2021-24593 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue

Proof of Concept

Put the following payload in the "Now closed message" setting and save them: <script>alert(/XSS/)</script>

Then refresh the setting page, or go to a page where the Business Hours are output (tested with the [mbhi ..] shortcode) to trigger the XSS

Affects Plugins

business-hours-indicator

Fixed in 2.3.5

References

CVE

URL

https://www.hackpertise.com/cve/28-cve-2021-36848/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

309296d4-c397-4fc7-85fb-a28b5b5b6a8d

Timeline

Publicly Published

2021-08-02 (about 2 years ago)

Added

2021-08-02 (about 2 years ago)

Last Updated

2023-04-12 (about 1 years ago)

Other

Published

Title

Published

2023-03-15

Title

Slide Anything < 2.4.9 - Author+ Stored XSS

Published

2023-10-23

Title

Live Chat with Facebook Messenger < 1.0 - Contributor+ Stored XSS via Shortcode

Published

2024-04-26

Title

WP ULike < 2.7.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2023-10-16

Title

Timely Booking Button <= 2.0.2 - Admin+ Stored XSS

Published

2021-08-13

Title

Plugmatter Pricing Table Lite <= 1.0.32 - Reflected Cross-Site Scripting