WordPress Plugin Vulnerabilities

WordPress Popular Posts < 5.3.3 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not properly sanitise or escape its Default Thumbnail setting before outputting back in the page, leading to a stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
wordpress-popular-posts
Fixed in 5.3.3

References

CVE
CVE-2021-20746
URL
https://plugins.trac.wordpress.org/changeset/2542638
URL
https://jvn.jp/en/jp/JVN63066062/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Yu Iwama of Secure Sky Technology Inc.
Verified
Yes
WPVDB ID
86cc93c1-daf5-43e7-8afb-66362d784ce9

Timeline

Publicly Published
2021-06-07 (about 4 years ago)
Added
2021-06-07 (about 4 years ago)
Last Updated
2022-01-17 (about 4 years ago)

Other

Published
Title
Published
2024-12-16
Title
Animated Counters <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-15
Title
Tapfiliate < 3.0.13 - Admin+ Stored XSS
Published
2024-03-16
Title
FV Flowplayer Video Player < 7.5.44.7212 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-11-04
Title
Donations via PayPal < 1.9.9 - Admin+ Stored XSS
Published
2024-03-21
Title
Blocksy Companion < 2.0.32 - Contributor+ Stored XSS