WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Easy Preloader <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues

Proof of Concept

Step 1: Install the plugin "Easy Preloader"

Step 2: Enter the payload below in the text field "Choose overlay color" (or any other text fields) in the plugin's settings (wp-admin/options-general.php?page=ep-options)

"><script>alert(/XSS/)</script>

Step 3: The script will be stored and executed all the times when going to the plugin settings.

Affects Plugins

easy-preloader
No known fix - plugin closed

References

CVE
CVE-2021-24344

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Kishore Hariram

Submitter

Kishore Hariram

Submitter twitter
kishorehariram
Verified

Yes

WPVDB ID
6d6c1d46-5c3d-4d56-9728-2f94064132aa

Timeline

Publicly Published

2021-05-24 (about 1 years ago)

Added

2021-05-24 (about 1 years ago)

Last Updated

2021-08-10 (about 10 months ago)

Our Other Services

WPScan WordPress Security Plugin