WP SMS < 5.4.13 – Authenticated Stored Cross-Site Scripting | CVE 2021-24561 | Plugin Vulnerabilities

Description

The plugin does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue

(WPScanTeam): During the verification of the fixes with the vendor, other payloads and injection points were identified, reported and fixed

Proof of Concept

Add/edit a Group with the following name: <svg/onload=alert(/XSS/)>

(WPScanTeam): Another payload (noticed when working with the vendor on the fixes) 1')" style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

Fixed in 5.4.13

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2570762/wp-sms

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Daffa

Submitter

Muhammad Daffa

Submitter website

https://daffa.tech

Submitter twitter

Verified

Yes

WPVDB ID

5433ef4c-4451-4b6e-992b-69c5eccabf90

Timeline

Publicly Published

2021-07-26 (about 4 years ago)

Added

2021-07-26 (about 4 years ago)

Last Updated

2022-02-24 (about 3 years ago)

Other

Published

Title

Published

2024-05-21

Title

Elegant Addons for elementor <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML tags

Published

2024-10-14

Title

wpPricing Builder <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-01

Title

Genesis Blocks < 3.1.3 - Contributor+ Stored XSS

Published

2015-04-12

Title

Contact Form Plugin < 3.96 - XSS

Published

2022-10-12

Title

5 Anker Connect < 1.2.7 - Reflected Cross-Site Scripting