Display Post Metadata < 1.5.0 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24855 | Plugin Vulnerabilities

Description

The plugin adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

Proof of Concept

- Login as contributor+
- Create a custom field containing XSS payload (eg. <script>alert(1)</script>)
- Add this shortcode to the post/page: [metadata element="custom_fields"]
- The XSS will be triggered when the post/page is previewed/viewed by any user

Affects Plugins

display-post-metadata

Fixed in 1.5.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

Verified

Yes

WPVDB ID

49328498-d3a0-4d27-8a52-24054b5e42f3

Timeline

Publicly Published

2021-11-15 (about 2 years ago)

Added

2021-11-15 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2016-03-23

Title

Anti-Malware Security & Brute-Force Firewall < 4.15.44 - XSS & CSRF

Published

2021-06-25

Title

Paid Membership Pro < 2.5.10 - Cross-Site Scripting (XSS)

Published

2022-09-26

Title

Pop-Up Chop Chop <= 2.1.7 - Contributor+ Stored Cross-Site Scripting

Published

2023-02-10

Title

Quick Paypal Payments < 5.7.26 - Admin+ Stored XSS

Published

2023-12-19

Title

Event Management Tickets Booking <= 1.3.4 - Admin+ Stored XSS