WP24 Domain Check < 1.6.3 – Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin version 1.6.2 and possibly below, was vulnerable to Stored Cross-Site Scripting (XSS) in the plugin's fieldnameDomain settings parameter.

The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability.

Proof of Concept

In the plugin's advanced settings (wp-admin/options-general.php?page=wp24_domaincheck_settings&tab=advanced), put the following payload in the Domain fieldname input:
" onfocus=alert(/XSS/); autofocus=

Affects Plugins

wp24-domain-check

Fixed in 1.6.3

References

Exploitdb

49377

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.4 (medium)

Miscellaneous

Original Researcher

Mehmet Kelepce

Verified

WPVDB ID

4c4075de-c6e0-4130-8cad-a4ea5311f5ea

Timeline

Publicly Published

2021-01-06 (about 5 years ago)

Added

2021-01-11 (about 5 years ago)

Last Updated

2021-01-26 (about 5 years ago)

Other

Published

Title

Published

2021-07-14

Title

Forminator < 1.14.12 - Unauthenticated Stored XSS

Published

2024-10-15

Title

Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons < 2.6.6 - Reflected Cross-Site Scripting

Published

2025-07-23

Title

Youtube Vimeo Video Player and Slider WP Plugin < 3.9 - Reflected Cross-Site Scripting

Published

2010-11-05

Title

Feedlist < 2.70.00 - XSS

Published

2021-06-28

Title

W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)