Author Bio Box < 3.4.0 – Admin+ Stored Cross-Site Scripting | CVE 2021-39349 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-author-bio-box-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Fixed in 3.4.0

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39349

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thinkland Security Team

Verified

Yes

WPVDB ID

bc6b46d2-bdff-46d6-8347-59cf510dd61d

Timeline

Publicly Published

2021-10-14 (about 4 years ago)

Added

2021-10-15 (about 4 years ago)

Last Updated

2022-04-15 (about 3 years ago)

Other

Published

Title

Published

2024-08-07

Title

Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce < 2.6.16 - Reflected Cross-Site Scripting

Published

2025-02-11

Title

CM Map Locations < 2.0.9 - Reflected Cross-Site Scripting

Published

2025-07-30

Title

Easy Elementor Addons < 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-20

Title

Quiz and Survey Master < 9.0.5 - Contributor+ Stored XSS

Published

2026-01-11

Title

Penci Podcast <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting