PlanSo Forms <= 2.6.3 – Authenticated Stored Cross-Site Scripting | CVE 2021-24516 | Plugin Vulnerabilities

Description

The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.

Timeline
July 12th, 2021 - Vendor notified via email
August 2nd, 2021 - Escalated to WP Plugins team due to unresponsive vendor
September 15th, 2021 - No update, public disclosure

Proof of Concept

Put the payload below in a Form Title, then view the Form List page (/wp-admin/admin.php?page=ps-form-builder) or the related Form to trigger the XSS
" style="animation-name:rotation" onanimationstart="alert(/XSS/)//

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Restrepo Rodriguez

Submitter

Felipe Restrepo Rodriguez

Submitter website

https://facebook.com

Submitter twitter

Verified

Yes

WPVDB ID

88d70e35-4c22-4bc7-b1a5-24068d55257c

Timeline

Publicly Published

2021-09-15 (about 2 years ago)

Added

2021-09-15 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

floating-tweets - Stored XSS

Published

2023-07-12

Title

Radio Forge Muses Player with Skins <= 2.5 - Reflected Cross-Site Scripting

Published

2024-01-08

Title

GD Rating System < 3.5.1 - Unauthenticated Stored Cross-Site Scripting via IP

Published

2023-09-01

Title

ShopConstruct <= 1.1.2 - Admin+ Stored XSS

Published

2023-04-20

Title

ActiveCampaign < 8.1.12 - Contributor+ Stored XSS