VDZ Verification < 1.4 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

The plugin does not sanitise its Meta Tag settings, allowing high privilege users such as admin to perform XSS attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in any of the Meta Tag field in the plugin's Settings (/wp-admin/customize.php?autofocus[section]=vdz_verification_section): <script>alert(/XSS/)</script>

The XSS will be triggered in any pages of the frontend

Affects Plugins

vdz-verification

Fixed in 1.4

References

URL

https://plugins.trac.wordpress.org/changeset/2566205

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

85589987-377d-4e07-93a1-489cd1fe82fb

Timeline

Publicly Published

2021-07-17 (about 4 years ago)

Added

2021-07-19 (about 4 years ago)

Last Updated

2021-07-19 (about 4 years ago)

Other

Published

Title

Published

2026-05-11

Title

WP Google Maps Integration <= 1.2 - Reflected Cross-Site Scripting via 'page' Parameter

Published

2023-06-26

Title

Cryptocurrency All-in-One <= 3.0.19 - Contributor+ Stored XSS

Published

2014-08-01

Title

Buddypress <= 1.9.1 - Stored Cross-Site Scripting (XSS)

Published

2026-03-10

Title

Wolverine Framework <= 1.9 - Reflected Cross-Site Scripting

Published

2023-03-21

Title

Disqus Conditional Load < 11.1.2 - Admin+ Stored Cross-Site Scripting