Add Subtitle <= 1.1.0 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24897 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

Proof of Concept

(The classic editor plugin is needed to see the sub-title field)

- Create a post as contributor+
- Add the following payload in the sub-title field: <script>alert(/XSS/)</script>
- View/preview the post to trigger the XSS

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

http://carluc.ci

Submitter twitter

Verified

Yes

WPVDB ID

a0dd1da8-f8d2-453d-a2f2-711a49fb6466

Timeline

Publicly Published

2022-01-26 (about 2 years ago)

Added

2022-02-15 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2024-04-17

Title

EAN for WooCommerce < 4.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via alg_wc_ean_product_meta Shortcode

Published

2021-08-16

Title

SEOPress 5.0.0 – 5.0.3 - Authenticated Stored Cross-Site Scripting

Published

2022-01-31

Title

WS Form < 1.8.176 - Admin+ Stored Cross-Site Scripting

Published

2019-06-18

Title

GA Backend Tracking <= 1.2 - XSS

Published

2024-05-01

Title

Sydney Toolbox < 1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting