About Author Box < 1.0.2 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24745 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks.

Proof of Concept

With a role as low as Contributor, put the following payloads in one of the Social Profile fields in your profile (/wp-admin/profile.php):
- javascript:alert(/XSS/)
- " style=animation-name:twentytwentyone-close-button-transition onanimationend=alert(/XSS/)//

The XSS will be triggered on posts published by the user and might require user interaction.

Affects Plugins

about-author-box

Fixed in 1.0.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

http://carluc.ci/

Submitter twitter

Verified

Yes

WPVDB ID

a965aeca-d8f9-4070-aa0d-9c9b95493dda

Timeline

Publicly Published

2021-10-26 (about 4 years ago)

Added

2021-10-26 (about 4 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2021-08-11

Title

Per Page Add to Head <= 1.4.4 - Authenticated Stored XSS

Published

2022-12-05

Title

Kwayy HTML Sitemap < 4.0 - Admin+ Stored XSS

Published

2015-04-14

Title

iThemes Security 3.0-4.6.12 – Stored Cross-Site Scripting (XSS)

Published

2022-04-25

Title

Night Mode < 1.4.0 - Admin+ Stored Cross-Site Scripting

Published

2023-10-16

Title

Timely Booking Button <= 2.0.2 - Admin+ Stored XSS