WordPress Plugin Vulnerabilities

Duplicate Page < 4.4.3 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

The attempt to fix the issue in 4.4.2 is insufficient and still allows for XSS.

Proof of Concept

Put the following payload in the Duplicate Post Suffix setting of the plugin:
- v < 4.4.2: "><svg/onload=confirm(/XSS/)>
- v < 4.4.3: " style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

Plugin icon
duplicate-page
Fixed in 4.4.3

References

CVE
CVE-2021-24681
Exploitdb
50256

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Nikhil Kapoor from EsecForte
Submitter
Nikhil Kapoor from EsecForte
Verified
Yes
WPVDB ID
9ebdd1df-1d6f-4399-8b0f-77a79f841464

Timeline

Publicly Published
2021-08-28 (about 2 years ago)
Added
2021-09-07 (about 2 years ago)
Last Updated
2023-01-30 (about 10 months ago)

Other

Published
Title
Published
2021-09-15
Title
Shared Files < 1.6.57 - Admin+ Stored Cross-Site Scripting
Published
2023-10-29
Title
Slick Popup: Contact Form 7 Popup Plugin < 1.7.15 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2022-08-23
Title
Scroll To Top < 1.4.1 - Admin+ Stored Cross-Site Scripting
Published
2021-09-23
Title
YITH Maintenance Mode < 1.4.0 - Multiple Admin+ Stored Cross-Site Scripting
Published
2021-04-15
Title
Clever Addons for Elementor < 2.1.0 - Contributor+ Stored XSS