WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Weekly Schedule < 3.4.3 - Authenticated Stored XSS

Description

The "Schedule Name" input in the plugin general options did not properly sanitize input, allowing a user to inject javascript code using the <script> HTML tags and cause a stored XSS issue

Proof of Concept

Go to Weekly Schedule -> General Options (/wp-admin/admin.php?page=weekly-schedule) -> Schedule Name -> Fill the field with a payload such as <script>alert(`xss`)</script>

Affects Plugins

weekly-schedule
Fixed in version 3.4.3

References

CVE
CVE-2021-24309

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Viktor Markopoulos

Submitter

Viktor Markopoulos

Submitter website
https://www.bitcrack.net/
Submitter twitter
bitcrack_cyber
Verified

Yes

WPVDB ID
ba1d01dc-16e4-464f-94be-ed311ff6ccf9

Timeline

Publicly Published

2021-05-12 (about 1 years ago)

Added

2021-05-12 (about 1 years ago)

Last Updated

2021-05-13 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin