WordPress Plugin Vulnerabilities

Better Find and Replace < 1.2.9 - Reflected Cross-Site Scripting

Description

The plugin does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
real-time-auto-find-and-replace
Fixed in 1.2.9

References

CVE
CVE-2021-24676

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
59589e74-f901-4f4d-81de-26ad19d1b7fd

Timeline

Publicly Published
2021-09-06 (about 4 years ago)
Added
2021-09-06 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2015-08-21
Title
WP Crontrol < 1.3 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2025-05-01
Title
GmapsMania <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-10-24
Title
Button contact VR < 4.7.10 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-12-11
Title
Smart Agenda – Prise de rendez-vous en ligne < 4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-03-04
Title
Conference Scheduler < 2.4.3 - Reflected Cross-Site Scripting