You Shang <= 1.0.1 – Authenticated Stored Cross-Site Scripting | CVE 2021-24597 | Plugin Vulnerabilities

Description

The plugin does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used

Proof of Concept

Put the following payload in the wechat_qrcode settings of the plugin: http://127.0.0.1/"onerror=alert(/XSS/)// and the XSS will be triggered in all frontend posts

The following payload could also be used to only trigger in the plugin's settings page: " style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

yangshengcheng@webray.com.cn inc

Submitter

yangshengcheng@webray.com.cn inc

Verified

Yes

WPVDB ID

37554d0e-68e2-4df9-8c59-65f5cd7f184e

Timeline

Publicly Published

2021-07-30 (about 4 years ago)

Added

2021-08-19 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2025-05-28

Title

Easy Digital Downloads < 3.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via edd_receipt Shortcode

Published

2024-07-15

Title

Ditty < 3.1.45 - Author+ Stored XSS

Published

2024-08-28

Title

Nested Pages <= 3.2.8 - Editor+ Stored XSS

Published

2015-04-26

Title

FeedWordPress <= 2015.0426 - Cross-Site Scripting (XSS)

Published

2025-09-05

Title

Admin Menu Editor < 1.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder Parameter