CoolClock < 4.3.5 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24670 | Plugin Vulnerabilities

Description

The plugin does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks

Proof of Concept

As a user with a role as low as contributor, put the following shortcode in a post/page and view/preview it to trigger the XSS (which is specific to the TwentyTwentuOne theme but could be changed)

[coolclock fontcolor='orange" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//']

Affects Plugins

Fixed in 4.3.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

a092548f-1ad5-44d3-9901-cdf4ebcee40a

Timeline

Publicly Published

2021-08-30 (about 4 years ago)

Added

2021-08-30 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2024-05-22

Title

Hash Elements < 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets

Published

2025-09-05

Title

SS Font Awesome Icon <= 4.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

cleeng <= 2.3.2 - XSS in ZeroClipboard

Published

2024-10-31

Title

MasterBip para Elementor <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-01-26

Title

WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting