VM Backups <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)

Description

The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue.

Proof of Concept

The PoC will be displayed once the issue has been remediated

Affects Plugins

vm-backups

No known fix - plugin closed

References

CVE

CVE-2021-24173

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

Miscellaneous

Original Researcher

0xB9

Submitter twitter

0xB9sec

Verified

Yes

WPVDB ID

b69ea1bc-3c9b-47d7-a164-c860ee46a9af

Timeline

Publicly Published

2021-03-13 (about 6 months ago)

Added

2021-03-13 (about 6 months ago)

Last Updated

2021-03-15 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin