404 SEO Redirection <= 1.3 – CSRF to Stored Cross-Site Scripting (XSS) | CVE 2021-24324

Description

The plugin is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

404-redirection-manager

No known fix

References

CVE

CVE-2021-24324

YouTube Video

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

7.1 (high)

Miscellaneous

Original Researcher

m0ze

Verified

Yes

WPVDB ID

63a24890-3735-4016-b4b7-4b070a842664

Timeline

Publicly Published

2021-04-16 (about 4 years ago)

Added

2021-04-27 (about 4 years ago)

Last Updated

2021-05-18 (about 4 years ago)

Other

Published

Title

Published

2025-08-14

Title

WP-Database-Optimizer-Tools <= 0.2 - Cross-Site Request Forgery

Published

2022-05-16

Title

Ask Me < 6.8.2 - Multiple CSRF in AJAX Actions

Published

2023-11-14

Title

Welcart e-Commerce < 2.9.5 - Cross-Site Request Forgery

Published

2022-10-17

Title

WP < 6.0.3 - CSRF in wp-trackback.php

Published

2023-10-16

Title

AGP Font Awesome Collection <= 3.2.4 - Arbitrary Settings Update via CSRF