WordPress Plugin Vulnerabilities

WP Hardening < 1.2.2 - Reflected XSS via URI

Description

The plugin did not sanitise or escape the $_SERVER['REQUEST_URI'] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue.

Proof of Concept

Affects Plugins

Plugin icon
wp-security-hardening
Fixed in 1.2.2

References

CVE
CVE-2021-24372

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
5340ae4e-95ba-4a69-beb1-3459cac17782

Timeline

Publicly Published
2021-06-07 (about 4 years ago)
Added
2021-06-07 (about 4 years ago)
Last Updated
2021-06-25 (about 4 years ago)

Other

Published
Title
Published
2024-05-30
Title
Premium Addons for Elementor < 4.10.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget
Published
2025-08-19
Title
iFrame Block <= 0.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-16
Title
TheGem Theme Elements (for WPBakery) < 5.10.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2015-02-22
Title
Contact Form DB < 2.8.28 - Authenticated Cross-Site Scripting (XSS)
Published
2020-05-07
Title
Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS)