WordPress Plugin Vulnerabilities

DrawBlog <= 0.90 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
drawblog
No known fix

References

CVE
CVE-2021-24479

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
abisheikmagesh
Verified
Yes
WPVDB ID
5fd2246a-fbd9-4f2a-8b0b-a64c3f91157c

Timeline

Publicly Published
2021-06-28 (about 4 years ago)
Added
2021-06-28 (about 4 years ago)
Last Updated
2022-01-02 (about 3 years ago)

Other

Published
Title
Published
2021-06-28
Title
Yada Wiki < 3.4.1 - Contributor+ Stored XSS
Published
2024-11-20
Title
Block Editor Bootstrap Blocks < 6.6.2 - Reflected Cross-Site Scripting via tab
Published
2017-11-08
Title
Simple Membership < 3.5.7 - XSS
Published
2024-10-07
Title
Bridge Core < 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-01-09
Title
Happy Elementor Addons < 3.10.1 - Contributor+ Stored Cross-Site Scripting