WP Travel Engine < 5.3.1 – Editor+ Stored Cross-Site Scripting | CVE 2021-24680 | Plugin Vulnerabilities

Description

The plugin does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed

Proof of Concept

As an editor or admin, add or edit a Trip Destination/Activity/Type or Pricing Category (wp-admin/edit.php?post_type=trip) and put the following payload in the Description field: <img src onerror=alert(/XSS/)>

The XSS will be triggered in the List of Pricing Categories or Trips etc

Affects Plugins

wp-travel-engine

Fixed in 5.3.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Huy Nguyen

Submitter website

https://www.linkedin.com/in/id-laladee/

Verified

Yes

WPVDB ID

30f2a0d5-7959-436c-9860-2535020e82d3

Timeline

Publicly Published

2021-12-01 (about 4 years ago)

Added

2021-12-01 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2024-09-24

Title

Charity Addon for Elementor < 1.3.2 - Contributor+ Stored XSS

Published

2024-09-12

Title

Tweaker5 <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

Published

2024-02-29

Title

Easy Property Listings <= 3.5.3 - Admin+ Stored XSS

Published

2021-09-08

Title

Custom Menu Plugin <= 1.3.3 - Reflected Cross-Site Scripting

Published

2024-07-08

Title

Counterpoint <= 1.8.1 - Reflected Cross-Site Scripting