WordPress Plugin Vulnerabilities

Perfect Survey < 1.5.2 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
perfect-survey
No known fix

References

CVE
CVE-2021-24765

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
4440e7ca-1a55-444d-8f6c-04153302d750

Timeline

Publicly Published
2021-10-05 (about 4 years ago)
Added
2021-12-29 (about 4 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2025-05-30
Title
Custom Post Carousels with Owl < 1.4.12 - Contributor+ Stored XSS
Published
2014-08-01
Title
Mingle Forum < 1.0.33.2 - Cross Site Scripting
Published
2023-11-07
Title
WPDBSpringClean <= 1.6 - Reflected XSS
Published
2023-10-16
Title
Responsive Pricing Table < 5.1.8 - Admin+ Stored Cross-Site Scriping
Published
2024-01-26
Title
coreActivity < 1.8.1 - Unauthenticated Stored XSS