WordPress Plugin Vulnerabilities

WPFront Notification Bar < 2.1.0.08087 - Authenticated Stored XSS

Description

The plugin does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

To execute the XSS on all frontend pages and plugin's setting page, add the following payload in the Message Text: <svg/onload=alert(/XSS/)>

To execute XSS in the backend, via the plugin's settings, add the following payload in any of the text field settings (such as Reopen Button Image URL, Keep Closed Cookie Name, Button Text, Button URL, Display on Pages, Landing Page Cookie Name): "><script>alert(/XSS/)</script>

Affects Plugins

Plugin icon
wpfront-notification-bar
Fixed in 2.1.0.08087

References

CVE
CVE-2021-24601

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Siddheshwar Vishwambhar mane
Verified
Yes
WPVDB ID
bb437706-a918-4d66-b027-b083ab486074

Timeline

Publicly Published
2021-08-09 (about 2 years ago)
Added
2021-08-09 (about 2 years ago)
Last Updated
2022-02-24 (about 2 years ago)

Other

Published
Title
Published
2022-05-09
Title
IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting
Published
2023-12-19
Title
Currency Converter Widget < 3.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Published
2024-03-15
Title
Ticket Tailor < 1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-15
Title
Sticky Ad Bar <= 1.3.1 - Admin+ Stored XSS
Published
2023-02-23
Title
VK All in One Expansion Unit < 9.87.1.0 - Reflected XSS