WordPress Plugin Vulnerabilities

RSS for Yandex Turbo < 1.31 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed.

Proof of Concept

Affects Plugins

Plugin icon
rss-for-yandex-turbo
Fixed in 1.31

References

CVE
CVE-2021-24428
URL
https://m0ze.ru/vulnerability/[2021-04-23]-[WordPress]-[CWE-79]-RSS-for-Yandex-Turbo-WordPress-Plugin-v1.30.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter website
https://m0ze.ru/
Submitter twitter
vladm0ze
Verified
Yes
WPVDB ID
9fcf6ebe-01d9-4730-a20e-58b192bb6d87

Timeline

Publicly Published
2021-06-15 (about 4 years ago)
Added
2021-06-28 (about 4 years ago)
Last Updated
2022-03-05 (about 3 years ago)

Other

Published
Title
Published
2025-07-15
Title
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations < 2.0.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-01
Title
Admin and Site Enhancements < 7.9.8 - Authenticated Stored XSS via SVG
Published
2014-08-01
Title
EELV Newsletter - Cross-Site Scripting
Published
2021-12-06
Title
Site Reviews < 5.17.3 - Unauthenticated Stored Cross-Site Scripting
Published
2020-03-27
Title
CM Pop-Up banners < 1.4.11 - Authenticated Stored XSS