Dflip Lite < 1.7.10 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24732

Description

The plugin does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

[dflip class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//']

Affects Plugins

3d-flipbook-dflip-lite

Fixed in 1.7.10

References

CVE

CVE-2021-24732

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

9425a9b2-e9b8-41f5-a3ca-623b6da0297c

Timeline

Publicly Published

2021-09-15 (about 2 years ago)

Added

2021-09-15 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2022-07-18

Title

Google Maps Anywhere <= 1.2.6.3 - Admin+ Stored Cross-Site Scripting

Published

2022-04-14

Title

Modern Events Calendar Lite < 6.5.2 - Admin+ Stored Cross-Site Scripting

Published

2022-04-07

Title

Plausible Analytics < 1.2.3 - Admin+ Stored Cross-Site Scripting

Published

2023-11-21

Title

ARI Stream Quiz < 1.3.0 - Cross-Site Request Forgery

Published

2023-07-17

Title

Bubble Menu < 3.0.5 - Admin+ Stored XSS