WordPress Plugin Vulnerabilities

Custom Post Type Relations <= 1.0 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting via the cptr[name] parameter found in the ~/pages/admin-page.php file which allows attackers to inject arbitrary web scripts

Affects Plugins

Plugin icon
custom-post-type-relations
No known fix

References

CVE
CVE-2021-34654
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34654

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
p7e4
Verified
No
WPVDB ID
a4b40480-50b2-4ed5-847f-dd97a216b06f

Timeline

Publicly Published
2021-08-13 (about 4 years ago)
Added
2021-08-13 (about 4 years ago)
Last Updated
2023-01-26 (about 3 years ago)

Other

Published
Title
Published
2025-02-21
Title
Easy Form by AYS < 2.7.0 - Reflected Cross-Site Scripting
Published
2024-08-26
Title
Esotera < 1.2.6 - Contributor+ Stored XSS
Published
2025-01-06
Title
WP FullCalendar < 1.6 - Contributor+ Stored XSS
Published
2024-11-08
Title
Custom URL Shortener <= 0.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-28
Title
Podlove Podcast Publisher < 4.1.24 - Admin+ Stored XSS