WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Pixel Cat Lite < 2.6.3 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Put the following payload in the Google Product Category setting of the plugin (at wp-admin/admin.php?page=fca_pc_settings_page in the E-Commerce > Advanced Feed Settings, needs WooCommerce activated): ' style=animation-name:rotation onanimationstart=alert(/XSS/)//

The XSS will be trigged when showing the setting again

Affects Plugins

facebook-conversion-pixel
Fixed in version 2.6.3

References

CVE
CVE-2021-24972

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified

Yes

WPVDB ID
b960cb36-62de-4b9f-a35d-144a34a4c63d

Timeline

Publicly Published

2021-11-15 (about 1 years ago)

Added

2021-11-15 (about 1 years ago)

Last Updated

2022-09-26 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin