WordPress Plugin Vulnerabilities

Custom Dashboard & Login Page - AGCA < 6.9.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
ag-custom-admin
Fixed in 6.9.2

References

CVE
CVE-2021-36823
YouTube Video

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Jorgson
Verified
No
WPVDB ID
c206aeb0-b70c-473d-9830-1f891fb89201

Timeline

Publicly Published
2021-07-30 (about 4 years ago)
Added
2021-09-23 (about 4 years ago)
Last Updated
2023-02-03 (about 3 years ago)

Other

Published
Title
Published
2024-08-28
Title
Nested Pages <= 3.2.8 - Editor+ Stored XSS
Published
2025-08-29
Title
Cookie Notice & Consent < 1.6.5 - Unauthenticated Stored Cross-Site Scripting
Published
2024-03-29
Title
Post-Plugin Library <= 2.6.2.1 - Reflected Cross-Site Scripting
Published
2025-12-11
Title
Contact Form 7 with ChatWork <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'api_token' and 'roomid' Settings
Published
2024-01-08
Title
PageLayer < 1.8.0 - Author+ Stored XSS