WordPress Plugin Vulnerabilities

WP Header Images < 2.0.1 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
wp-header-images
Fixed in 2.0.1

References

CVE
CVE-2021-24798

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
58c9a007-42db-4142-b096-0b9ba8850f87

Timeline

Publicly Published
2021-10-11 (about 4 years ago)
Added
2021-10-11 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-11-28
Title
소셜 공유 버튼 By 코스모스팜 <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-05-20
Title
PopupAlly < 2.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-05-19
Title
Newsletter < 8.8.5 - Admin+ Stored XSS via Widget
Published
2020-04-03
Title
WP Last Modified Info < 1.6.6 - Authenticated Stored XSS
Published
2023-07-24
Title
IURNY by INDIGITALL < 3.2.3 - Admin+ Stored XSS