WordPress Plugin Vulnerabilities

MX Time Zone Clocks < 3.4.1 - Contributor+ Cross-Site Scripting

Description

The plugin does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

Affects Plugins

Plugin icon
mx-time-zone-clocks
Fixed in 3.4.1

References

CVE
CVE-2021-24671

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
4e51dffa-027d-4f3d-a190-dcc5269f6435

Timeline

Publicly Published
2021-08-25 (about 4 years ago)
Added
2021-08-25 (about 4 years ago)
Last Updated
2022-04-10 (about 3 years ago)

Other

Published
Title
Published
2025-08-20
Title
Themify Icons < 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-07-08
Title
WPBITS Addons For Elementor Page Builder < 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Published
2025-01-16
Title
Passwordless WP – Login with your glance or fingerprint <= 1.1.6 - Reflected Cross-Site Scripting
Published
2021-05-04
Title
Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2024-08-03
Title
Traffic Manager <= 1.4.5 - Unauthenticated Stored Cross-Site Scripting