WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Site Reviews < 5.13.1 - Admin+ Stored XSS

Description

The plugin does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed

Proof of Concept

As an admin, create a review via the Admin dashboard (/wp-admin/post-new.php?post_type=site-review) and add the following payload in the Name/IP Address fields of the Review Details section: <script>alert(/XSS/)</script>

The XSS will be triggered when viewing the Reviews list table in the admin dashboard

Affects Plugins

site-reviews
Fixed in version 5.13.1

References

CVE
CVE-2021-24603
URL
https://www.hackpertise.com/cve/9-cve-2021-24603/

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID
72aea0e5-1fa7-4827-a173-59982202d323

Timeline

Publicly Published

2021-08-09 (about 1 years ago)

Added

2021-08-09 (about 1 years ago)

Last Updated

2023-04-12 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin