youForms for WordPress <= 1.0.5 – Authenticated Stored Cross-Site Scripting | CVE 2021-24596 | Plugin Vulnerabilities

Description

The plugin does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Create/edit a template and put the following payloads in the Button text/Button subtext/Header text/Header subtext fields of the Change button template text/Change template modal text sections:

<script>alert(/XSS/)</script>
" style=animation-name:rotation onanimationstart=alert(/XSS/)//

The XSS will be triggered when viewing the template again in the admin dashboard

https://github.com/xiahao90/CVEproject/blob/main/wordpress_youFormsfreeforCopeCart_XSS.md

Affects Plugins

youforms-free-for-copecart

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

xiahao@webray.com.cn inc

Submitter

xiahao@webray.com.cn inc

Submitter twitter

lAmn9V6MU9Dfb8p

Verified

Yes

WPVDB ID

b5def0e7-2b4a-43e0-8175-28b28aa2f8ae

Timeline

Publicly Published

2021-07-30 (about 4 years ago)

Added

2021-08-19 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2023-01-17

Title

TemplatesNext ToolKit < 3.2.8 - Contributor+ Stored XSS

Published

2024-12-10

Title

ImageRecycle pdf & image compression < 3.1.17 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

Easy Filtering <= 2.5.0 - Reflected Cross-Site Scripting

Published

2023-11-06

Title

Webpushr < 4.35.0 - Unauthenticated Stored XSS

Published

2022-07-18

Title

WP OAuth2 Server <= 1.0.1 - Authentication Bypass