Weekly Schedule < 3.4.3 – Authenticated Stored XSS | CVE 2021-24309 | Plugin Vulnerabilities

Description

The "Schedule Name" input in the plugin general options did not properly sanitize input, allowing a user to inject javascript code using the <script> HTML tags and cause a stored XSS issue

Proof of Concept

Go to Weekly Schedule -> General Options (/wp-admin/admin.php?page=weekly-schedule) -> Schedule Name -> Fill the field with a payload such as <script>alert(`xss`)</script>

Affects Plugins

weekly-schedule

Fixed in 3.4.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Viktor Markopoulos

Submitter

Viktor Markopoulos

Submitter website

https://www.bitcrack.net/

Submitter twitter

Verified

Yes

WPVDB ID

ba1d01dc-16e4-464f-94be-ed311ff6ccf9

Timeline

Publicly Published

2021-05-12 (about 4 years ago)

Added

2021-05-12 (about 4 years ago)

Last Updated

2021-05-13 (about 4 years ago)

Other

Published

Title

Published

2025-12-04

Title

Thai Lottery Widget <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2025-07-31

Title

Sina Extension for Elementor < 3.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Sina Posts`, `Sina Blog Post` and `Sina Table` Widgets

Published

2024-12-30

Title

Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS via Theme Title

Published

2022-02-14

Title

LoginPress < 1.5.12 - Reflected Cross-Site Scripting

Published

2025-03-25

Title

Ultimate Blocks < 3.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter