WordPress Plugin Vulnerabilities

Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography

Description

The About Me widget of the plugin does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.

Proof of Concept

Affects Plugins

Plugin icon
youzify
Fixed in 1.0.7

References

CVE
CVE-2021-24443

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.9 (high)

Miscellaneous

Original Researcher
Phu Tran from techlabcorp.com
Submitter
Phu Tran
Submitter website
https://fergustran1008.medium.com
Submitter twitter
fergustr4n
Verified
Yes
WPVDB ID
a4432acd-df49-4a4f-8184-b55cdd5d4d34

Timeline

Publicly Published
2021-06-28 (about 4 years ago)
Added
2021-06-28 (about 4 years ago)
Last Updated
2022-01-02 (about 3 years ago)

Other

Published
Title
Published
2024-08-16
Title
Icegram < 3.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-18
Title
SEO Tools <= 4.0.7 - Reflected XSS
Published
2024-03-28
Title
Elementor Addon Elements < 1.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-11-25
Title
Content Repeater <= 1.1.13 - Admin+ Stored XSS
Published
2023-05-15
Title
Quiz Maker < 6.4.2.7 - Reflected XSS