Easy Accordion < 2.0.22 – Admin+ Stored Cross-Site Scripting | CVE 2021-24576 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize inputs when adding new items to an accordion.

Proof of Concept

When adding new items to an accordion, an injection payload of "<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>" for an accordion item's title will result in XSS in the wp-admin page as well as on pages that show the accordion.

Affects Plugins

easy-accordion-free

Fixed in 2.0.22

References

CVE

URL

https://www.hackpertise.com/cve/15-cve-2021-24576/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

4d0c60d1-db5a-4c4f-9bdb-669975ac7210

Timeline

Publicly Published

2021-09-10 (about 2 years ago)

Added

2021-09-10 (about 2 years ago)

Last Updated

2023-04-12 (about 1 years ago)

Other

Published

Title

Published

2016-11-16

Title

All In One WP Security & Firewall 4.1.4-4.1.9 - Authenticated Cross-Site Scripting (XSS)

Published

2024-04-09

Title

Premium Addons for Elementor < 4.10.25 - Contributor+ DOM-Based Stored Cross-Site Scripting

Published

2015-02-09

Title

Redirection Page <= 1.2 - CSRF/XSS

Published

2024-04-25

Title

Newsletter Popup <= 1.2 - Admin+ Stored XSS

Published

2023-11-03

Title

Download Top 25 Social Icons <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode