WP Subscribe < 1.2.13 – Admin+ Stored Cross-Site Scripting | CVE 2021-36844 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its widgets settings, which could allow high privilege users such as admin to perform Cross-Site Scripting even when unfiltered_html is disallowed

Proof of Concept

Add the widget of the plugin to a page, and put the following payload in settings such as "Title", "Text", "Email Placeholder" etc: "><img src onerror=alert(/XSS/)>

Affects Plugins

Fixed in 1.2.13

References

CVE

URL

https://www.hackpertise.com/cve/36-cve-2021-36844/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Verified

No

WPVDB ID

55171af5-736f-41ed-bfb0-e3162214f0e6

Timeline

Publicly Published

2022-05-02 (about 4 years ago)

Added

2022-05-02 (about 4 years ago)

Last Updated

2022-08-02 (about 3 years ago)

Other

Published

Title

Published

2021-12-01

Title

Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in Product XML Feeds Module

Published

2024-01-23

Title

Add SVG Support for Media Uploader | inventivo <= 1.0.5 - Author+ Stored XSS via SVG

Published

2022-01-17

Title

Form Store to DB < 1.1.1 - Unauthenticated Stored Cross-Site Scripting

Published

2024-11-28

Title

Multilevel Referral Affiliate Plugin for WooCommerce < 2.28 - Reflected XSS

Published

2025-06-05

Title

WP Social Widget < 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting