Highlight < 0.9.3 – Authenticated Stored Cross-Site Scripting | CVE 2021-24591 | Plugin Vulnerabilities

Description

The plugin does not sanitise its CustomCSS setting, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Tick the "Enable Highlight" setting of the plugin, and put the following payload in the CustomCSS setting as well: </style><script>alert(/XSS-aaa/)</script>

Then visit the homepage to trigger the XSS

https://github.com/xiahao90/CVEproject/blob/main/wordpress_Highlight_XSS.md

Affects Plugins

Fixed in 0.9.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

xiahao@webray.com.cn inc

Submitter

xiahao@webray.com.cn inc

Submitter twitter

lAmn9V6MU9Dfb8p

Verified

Yes

WPVDB ID

c5cbe3b4-2829-4fd2-8194-4b3a2ae0e257

Timeline

Publicly Published

2021-08-06 (about 4 years ago)

Added

2021-08-06 (about 4 years ago)

Last Updated

2022-02-24 (about 3 years ago)

Other

Published

Title

Published

2024-11-08

Title

Shortcode Collection <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-06-26

Title

Login Configurator <= 2.1 - Reflected Cross-Site Scripting

Published

2024-05-22

Title

Awesome Contact Form7 for Elementor < 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via AEP Contact Form 7 Widget

Published

2014-08-01

Title

Marekkis Watermark 0.9.2 - wp-admin/options-general.php pfad Parameter XSS

Published

2024-12-11

Title

Quran Phrases About Most People Shortcodes < 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting