WordPress Plugin Vulnerabilities

VM Backups <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)

Description

The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue.

Proof of Concept

Affects Plugins

Plugin icon
vm-backups
No known fix

References

CVE
CVE-2021-24173

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
0xB9
Submitter twitter
0xB9sec
Verified
Yes
WPVDB ID
b69ea1bc-3c9b-47d7-a164-c860ee46a9af

Timeline

Publicly Published
2021-03-13 (about 4 years ago)
Added
2021-03-13 (about 4 years ago)
Last Updated
2021-03-15 (about 4 years ago)

Other

Published
Title
Published
2025-01-24
Title
Really Simple SSL < 9.2.0 - Cross-Site Request Forgery
Published
2023-07-26
Title
WP Tell a Friend Popup Form <= 7.1 - Settings Update via CSRF
Published
2023-09-07
Title
EmbedPress < 3.8.4 - Cross-Site Request Forgery
Published
2025-03-27
Title
Float menu < 6.1.3 - Cross-Site Request Forgery to Settings Update
Published
2023-08-11
Title
SB Child List <= 4.5 - Settings Update via CSRF