WordPress Plugin Vulnerabilities

Smart Email Alerts <= 1.0.10 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting via the api_key in the ~/views/settings.php file which allows attackers to inject arbitrary web scripts

Affects Plugins

Plugin icon
smart-email-alerts
No known fix

References

CVE
CVE-2021-34642
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34642

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
p7e4
Verified
No
WPVDB ID
350e660d-4f32-44f2-89d9-29a8d5307156

Timeline

Publicly Published
2021-08-13 (about 4 years ago)
Added
2021-08-13 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-10-14
Title
Arkhe Blocks < 2.27.0 - Contributor+ Stored XSS
Published
2025-07-16
Title
WPAdverts < 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-05
Title
Ni WooCommerce Order Export <= 3.1.6 - Reflected Cross-Site Scripting
Published
2024-02-20
Title
Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode
Published
2017-02-07
Title
Raygun4WP <= 1.8.0 - Unauthenticated Reflected XSS