WordPress Plugin Vulnerabilities

404 to 301 <= 2.3.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

There is a stored XSS in the 404-to-301 WP plugin < 2.3.1. Unauthenticated users can visit a specially crafted URL and the redirect path will be logged to the database. The redirection source is stored unescaped in the database, thus it is served as-is and evaluated in the browsers of logged-in admins when they check the redirection logs on http://wordpress/wp-admin/admin.php?page=i4t3-logs. Affected versions are <2.3.1.

Proof of Concept

Affects Plugins

Plugin icon
404-to-301
Fixed in 2.3.1

References

URL
https://gist.github.com/ldionmarcil/6793df929449f8781bb1e213d7e75e23
URL
https://github.com/joel-james/404-to-301/commit/7a4e2798eca79828c1611988289e06b6d9c18b61
URL
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_404_to_301_wordpress_plugin.html
URL
https://seclists.org/fulldisclosure/2016/Nov/46

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
ldionmarcil
Submitter website
https://keybase.io/ldionmarcil
Submitter twitter
https://twitter.com/ldionmarcil
Verified
No
WPVDB ID
5bc359b4-9acb-474b-9865-c03b14c49d2c

Timeline

Publicly Published
2016-08-27 (about 9 years ago)
Added
2016-08-29 (about 9 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2024-07-04
Title
Create by Mediavine < 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-07-12
Title
Essential Blocks < 4.7.0 - Contributor+ Stored XSS
Published
2025-01-10
Title
Grid Accordion Lite <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-08-10
Title
Custom Post View Generator <= 0.4.6 - Reflected Cross-Site Scripting
Published
2026-03-17
Title
WP Go Maps (formerly WP Google Maps) < 10.0.06 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings