logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Easy Preloader <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues

Proof of Concept

Step 1: Install the plugin "Easy Preloader"

Step 2: Enter the payload below in the text field "Choose overlay color" (or any other text fields) in the plugin's settings (wp-admin/options-general.php?page=ep-options)

"><script>alert(/XSS/)</script>

Step 3: The script will be stored and executed all the times when going to the plugin settings.

Affects Plugins

easy-preloader

No known fix - plugin closed

References

CVE

CVE-2021-24344

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Kishore Hariram

Submitter

Kishore Hariram

Submitter twitter

kishorehariram

Verified

Yes

WPVDB ID

6d6c1d46-5c3d-4d56-9728-2f94064132aa

Timeline

Publicly Published

2021-05-24 (about 3 months ago)

Added

2021-05-24 (about 3 months ago)

Last Updated

2021-08-10 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin