Post Duplicator < 2.27 – Admin+ Stored Cross-Site Scripting | CVE 2021-33852

Description

The plugin does not sanitise and escape its Duplicate Title and Slug settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in the "Duplicate Title" or "Duplicate Slug" settings: "><script>alert(/XSS/)</script>

Affects Plugins

post-duplicator

Fixed in 2.27

References

CVE

CVE-2021-33852

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Cyber Security Works Pvt. Ltd

Verified

Yes

WPVDB ID

3288b339-fe27-4706-b511-5b8586c9d370

Timeline

Publicly Published

2021-12-02 (about 4 years ago)

Added

2022-03-09 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-03-28

Title

YouTube SimpleGallery <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-06-26

Title

Cancel order request WooCommerce < 1.3.3 - Admin+ Stored XSS

Published

2025-04-17

Title

AdminQuickbar < 1.9.2 - Reflected Cross-Site Scripting

Published

2015-08-25

Title

Post video players <= 1.136 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-06-27

Title

Football Pool < 2.12.6 - Authenticated (Contributor+) Stored Cross-Site Scripting