WP Page Builder < 1.2.4 – Multiple Stored Cross-Site scripting (XSS) | CVE 2021-24208 | Plugin Vulnerabilities

Description

The editor of the plugin allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. It is also possible to insert malicious JavaScript via the “wppb_page_css” parameter (this can be done by closing out the style tag and opening a script tag) when performing the “wppb_page_save” AJAX action.

Affects Plugins

Fixed in 1.2.4

References

CVE

URL

https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-builder/

URL

https://www.themeum.com/wp-page-builder-updated-v1-2-4/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter

Verified

Yes

WPVDB ID

c20e243d-b0de-4ae5-9a0d-b9d02c9b8141

Timeline

Publicly Published

2021-03-17 (about 3 years ago)

Added

2021-03-18 (about 3 years ago)

Last Updated

2021-04-09 (about 3 years ago)

Other

Published

Title

Published

2024-05-14

Title

WPZOOM Addons for Elementor (Templates, Widgets) < 1.1.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box Widget

Published

2023-10-22

Title

TCD Google Maps <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2014-08-01

Title

Register Plus Redux <= 3.8.3 - Cross-Site Scripting (XSS)

Published

2023-09-21

Title

Shared Files < 1.7.6 - Unauthenticated Stored Cross-Site Scripting

Published

2024-02-26

Title

Media Alt Renamer 0.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via _wp_attachment_image_alt postmeta