MPL-Publisher – Self-publish your book & ebook < 1.30.4 – Admin+ Stored Cross-Site Scripting | CVE 2021-39343 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/libs/PublisherController.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Fixed in 1.30.4

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39343

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thinkland Security Team

Verified

No

WPVDB ID

7e8f5ec9-4a1c-4c3b-b769-93862476e88f

Timeline

Publicly Published

2021-10-15 (about 4 years ago)

Added

2021-10-16 (about 4 years ago)

Last Updated

2022-04-15 (about 4 years ago)

Other

Published

Title

Published

2023-08-16

Title

Plausible Analytics < 1.3.4 - Reflected XSS

Published

2025-08-18

Title

Cookie Warning <= 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2021-10-15

Title

YOP Poll < 6.3.1 - Author+ Stored Cross-Site Scripting via Preview Module

Published

2025-07-31

Title

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce < 6.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-02

Title

Gravel <= 1.6 - Reflected Cross-Site Scripting