WordPress Plugin Vulnerabilities

SEO Redirection < 6.4 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The setting page of the plugin is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before being output in an attribute.

Timeline (WPScanTeam)
January 29th, 2021 - Report received & Confirmed & Escalated to WordPress plugins Team (who confirmed to have received the report)
March 16th, 2021 - No updates, disclosing
April 18th, 2021 - v6.4 released, fixing the issue

Proof of Concept

Affects Plugins

Plugin icon
seo-redirection
Fixed in 6.4

References

CVE
CVE-2021-24187

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
https://research.sun-asterisk.com/
Submitter twitter
vigov5
Verified
Yes
WPVDB ID
c234700e-61dd-46a0-90fb-609e704269a9

Timeline

Publicly Published
2021-03-16 (about 4 years ago)
Added
2021-03-16 (about 4 years ago)
Last Updated
2021-04-27 (about 4 years ago)

Other

Published
Title
Published
2024-10-29
Title
HT Team Member < 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via htteamember Shortcode
Published
2022-09-09
Title
We’re Open! < 1.38 - Admin+ Stored XSS
Published
2025-06-05
Title
Powie's Uptime Robot <= 0.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-09-30
Title
Create < 2.9.2 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2024-01-22
Title
Sticky Buttons < 3.2.3 - Authenticated (Admin+) Stored Cross-Site Scripting