WP Travel Engine < 5.3.1 – Editor+ Stored Cross-Site Scripting | CVE 2021-24680 | Plugin Vulnerabilities

Description

The plugin does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed

Proof of Concept

As an editor or admin, add or edit a Trip Destination/Activity/Type or Pricing Category (wp-admin/edit.php?post_type=trip) and put the following payload in the Description field: <img src onerror=alert(/XSS/)>

The XSS will be triggered in the List of Pricing Categories or Trips etc

Affects Plugins

wp-travel-engine

Fixed in 5.3.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Huy Nguyen

Submitter website

https://www.linkedin.com/in/id-laladee/

Verified

Yes

WPVDB ID

30f2a0d5-7959-436c-9860-2535020e82d3

Timeline

Publicly Published

2021-12-01 (about 2 years ago)

Added

2021-12-01 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2022-12-23

Title

MashShare < 3.8.7 - Contributor+ Stored XSS

Published

2019-03-11

Title

Abandoned Cart Lite for WooCommerce < 5.2.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2022-01-17

Title

Form Store to DB < 1.1.1 - Unauthenticated Stored Cross-Site Scripting

Published

2021-09-21

Title

Responsive WordPress Slider <= 2.2.0 - Reflected Cross-Site Scripting

Published

2024-03-29

Title

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget