WordPress Plugin Vulnerabilities

GeoDirectory < 2.1.1.3 - Authenticated (admin+) Stored Cross-Site Scripting (XSS)

Description

The GeoDirectory plugin was vulnerable to Authenticated admin+ Stored Cross-Site Scripting (XSS).

Proof of Concept

Affects Plugins

Plugin icon
geodirectory
Fixed in 2.1.1.3

References

CVE
CVE-2021-24720
URL
https://github.com/BigTiger2020/word-press/blob/main/WrodPress%20Plugin%20GeoDirectory%E2%80%94%E2%80%94Stored%20Cross-Site%20Scripting%20.md
URL
https://plugins.trac.wordpress.org/changeset/2596452/geodirectory

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Thinkland Security Team
Submitter
Thinkland Security Team
Submitter website
https://github.com/BigTiger2020/word-press/blob/main/WrodPress%20Plugin%20GeoDirectory%E2%80%94%E2%80%94Stored%20Cross-Site%20Scripting%20.md
Verified
Yes
WPVDB ID
9de5cc51-f64c-4475-a0f4-d932dc4364a6

Timeline

Publicly Published
2021-09-02 (about 4 years ago)
Added
2021-09-10 (about 4 years ago)
Last Updated
2022-05-19 (about 3 years ago)

Other

Published
Title
Published
2025-07-07
Title
Wordpress Auto Spinner <= 3.25.0 - Reflected Cross-Site Scripting
Published
2021-04-12
Title
Business Directory Plugin < 5.11.2 - Authenticated Stored Cross-Site Scripting
Published
2025-09-26
Title
Woostify <= 2.4.2 - Authenticated (Shop manager+) Stored Cross-Site Scripting
Published
2025-12-11
Title
BSK PDF Manager < 3.7.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
Published
2022-09-01
Title
Easy Org Chart <= 3.1 - Contributor+ Stored Cross-Site Scripting