CoolClock < 4.3.5 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24670 | Plugin Vulnerabilities

Description

The plugin does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks

Proof of Concept

As a user with a role as low as contributor, put the following shortcode in a post/page and view/preview it to trigger the XSS (which is specific to the TwentyTwentuOne theme but could be changed)

[coolclock fontcolor='orange" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//']

Affects Plugins

Fixed in 4.3.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

a092548f-1ad5-44d3-9901-cdf4ebcee40a

Timeline

Publicly Published

2021-08-30 (about 2 years ago)

Added

2021-08-30 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2021-10-12

Title

WooCommerce Products Table < 1.0.4 - Reflected Cross-Site Scripting

Published

2023-07-17

Title

Multiple DeoThemes Themes - Reflected Cross-Site Scripting

Published

2023-05-15

Title

Video Gallery < 1.0.11 - Reflected XSS

Published

2015-08-19

Title

Floating Social Media Icon <= 2.1 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2022-11-10

Title

WPUpper Share Buttons < 3.43 - Admin+ Stored XSS