WordPress Plugin Vulnerabilities

PhoneTrack Meu Site Manager <= 0.1 - Authenticated Stored XSS

Description

The plugin does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue.

Proof of Concept

Affects Plugins

Plugin icon
phonetrack-meu-site-manager
No known fix

References

CVE
CVE-2021-24534

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
abisheikmagesh
Verified
Yes
WPVDB ID
b968b9a1-67f3-4bef-a3d3-6e8942bb6570

Timeline

Publicly Published
2021-07-19 (about 4 years ago)
Added
2021-07-19 (about 4 years ago)
Last Updated
2023-01-23 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Seo Link Rotator - pusher.php title Parameter Reflected XSS
Published
2025-06-23
Title
Infility Global <= 2.14.48 - Reflected Cross-Site Scripting
Published
2024-09-30
Title
Accordion & FAQ – Helpie WordPress Accordion FAQ Plugin < 1.28 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2024-11-08
Title
File Select Control For Elementor <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-25
Title
Post Grid, Slider & Carousel Ultimate < 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting