WordPress Plugin Vulnerabilities

DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The dsgvoaio_write_log AJAX action of the plugin did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs.

Proof of Concept

Affects Plugins

Plugin icon
dsgvo-all-in-one-for-wp
Fixed in 4.0

References

CVE
CVE-2021-24294
URL
https://plugins.trac.wordpress.org/changeset/2522596/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
43b8cfb4-f875-432b-8e3b-52653fdee87c

Timeline

Publicly Published
2021-05-07 (about 4 years ago)
Added
2021-05-07 (about 4 years ago)
Last Updated
2021-05-08 (about 4 years ago)

Other

Published
Title
Published
2025-01-06
Title
PayGreen Payment Gateway < 1.0.27 - Reflected Cross-Site Scripting
Published
2024-06-07
Title
SKT Addons for Elementor < 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate and Creative Slider Widgets
Published
2022-07-27
Title
BxSlider WP <= 2.0.0 - Contributor+ Stored Cross-Site Scripting
Published
2024-10-21
Title
chatplusjp <= 1.02 - Reflected Cross-Site Scripting
Published
2025-08-22
Title
ShortcodeHub <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via author_link_target Parameter