WordPress Plugin Vulnerabilities

404 SEO Redirection <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)

Description

The plugin is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

Plugin icon
404-redirection-manager
No known fix

References

CVE
CVE-2021-24324
YouTube Video

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
m0ze
Verified
Yes
WPVDB ID
63a24890-3735-4016-b4b7-4b070a842664

Timeline

Publicly Published
2021-04-16 (about 3 years ago)
Added
2021-04-27 (about 3 years ago)
Last Updated
2021-05-18 (about 2 years ago)

Other

Published
Title
Published
2020-09-22
Title
Ninja Forms < 3.4.27.1 - CSRF leading to Arbitrary Plugin Installation
Published
2020-02-01
Title
Htaccess by BestWebSoft < 1.8.2 - CSRF to edit .htaccess
Published
2021-06-08
Title
WP Prayer < 1.6.6 - Cross-Site Request Forgery
Published
2022-12-23
Title
Waiting: One-click countdowns <= 0.6.2 - Cross-Site Request Forgery
Published
2018-05-28
Title
JS Job <= 1.0.6 - CSRF