WordPress Plugin Vulnerabilities

Leaky Paywall < 4.16.7 - Admin+ Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the ~/class.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Proof of Concept

Affects Plugins

Plugin icon
leaky-paywall
Fixed in 4.16.7

References

CVE
CVE-2021-39357
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39357

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Thinkland Security Team
Verified
Yes
WPVDB ID
a0a272cf-0660-44b2-90b2-08a6a5bb21e8

Timeline

Publicly Published
2021-10-18 (about 4 years ago)
Added
2021-10-18 (about 4 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2024-10-21
Title
Affiliate Platform <= 1.4.8 - Reflected Cross-Site Scripting
Published
2025-04-01
Title
WP Plugin Info Card < 5.3.1 - Contributor+ Stored XSS
Published
2020-07-21
Title
Elementor < 2.9.14 - Authenticated Stored Cross-Site Scripting
Published
2023-04-19
Title
Uji Popup <= 1.4.3 - Contributor+ Stored XSS
Published
2023-01-27
Title
Quick Restaurant Menu < 2.1.0 - Admin+ Stored XSS