Add Subtitle <= 1.1.0 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24897 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

Proof of Concept

(The classic editor plugin is needed to see the sub-title field)

- Create a post as contributor+
- Add the following payload in the sub-title field: <script>alert(/XSS/)</script>
- View/preview the post to trigger the XSS

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

http://carluc.ci

Submitter twitter

Verified

Yes

WPVDB ID

a0dd1da8-f8d2-453d-a2f2-711a49fb6466

Timeline

Publicly Published

2022-01-26 (about 3 years ago)

Added

2022-02-15 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-06-22

Title

Product Enquiry for WooCommerce < 3.1.8 - Admin+ Stored XSS

Published

2025-05-16

Title

Dot html,php,xml etc pages <= 1.0 - Reflected Cross-Site Scripting

Published

2023-09-22

Title

WP Mailto Links – Protect Email Addresses < 3.1.4 - Contributor+ Stored XSS

Published

2021-04-21

Title

Accordion < 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2015-11-24

Title

Websimon Tables <= 1.3.4 - Authenticated Reflected Cross-Site Scripting (XSS)