logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Weekly Schedule < 3.4.3 - Authenticated Stored XSS

Description

The "Schedule Name" input in the plugin general options did not properly sanitize input, allowing a user to inject javascript code using the <script> HTML tags and cause a stored XSS issue

Proof of Concept

Go to Weekly Schedule -> General Options (/wp-admin/admin.php?page=weekly-schedule) -> Schedule Name -> Fill the field with a payload such as <script>alert(`xss`)</script>

Affects Plugins

weekly-schedule

Fixed in version 3.4.3

References

CVE

CVE-2021-24309

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Viktor Markopoulos

Submitter

Viktor Markopoulos

Submitter website

https://www.bitcrack.net/

Submitter twitter

bitcrack_cyber

Verified

Yes

WPVDB ID

ba1d01dc-16e4-464f-94be-ed311ff6ccf9

Timeline

Publicly Published

2021-05-12 (about 1 months ago)

Added

2021-05-12 (about 1 months ago)

Last Updated

2021-05-13 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin