WordPress Plugin Vulnerabilities

Passster < 3.5.5.8 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not escape the area parameter of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

Proof of Concept

Affects Plugins

Plugin icon
content-protector
Fixed in 3.5.5.8

References

CVE
CVE-2021-24837

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
5fea3ac3-d599-41f3-8f76-08f0d3552af1

Timeline

Publicly Published
2022-12-29 (about 2 years ago)
Added
2022-12-29 (about 2 years ago)
Last Updated
2022-12-29 (about 2 years ago)

Other

Published
Title
Published
2025-01-03
Title
Pretty Simple Popup Builder < 1.0.10 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-07-16
Title
Youtube Vimeo Video Player and Slider < 3.9 - Reflected Cross-Site Scripting
Published
2024-05-07
Title
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) < 3.14.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-09
Title
Tournamatch <= 4.7.0 - Reflected Cross-Site Scripting
Published
2021-04-26
Title
Happy Addons for Elementor Free < 2.24.0 and Pro < 1.17.0 - Contributor+ Stored XSS