WordPress Plugin Vulnerabilities

Select All Categories and Taxonomies < 1.3.2 - Reflected Cross-Site Scripting (XSS)

Description

The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons
Fixed in 1.3.2

References

CVE
CVE-2021-24287

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
0xB9
Submitter twitter
0xB9sec
Verified
Yes
WPVDB ID
56e1bb56-bfc5-40dd-b2d0-edef43d89bdf

Timeline

Publicly Published
2021-04-23 (about 4 years ago)
Added
2021-04-23 (about 4 years ago)
Last Updated
2021-04-24 (about 4 years ago)

Other

Published
Title
Published
2025-02-17
Title
Library Bookshelves < 5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2011-03-17
Title
Sodahead Polls < 2.0.4 - XSS
Published
2025-10-21
Title
Welcart e-Commerce < 2.11.23 - Authenticated (Editor+) Stored Cross-Site Scripting via order_mail
Published
2025-09-05
Title
Stagtools <= 2.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-13
Title
YITH WooCommerce Wishlist < 4.6.0 - Contributor+ Stored XSS via id Parameter