Customize Login Image < 3.5.3 – Admin+ Stored Cross-Site Scripting | CVE 2021-33851

Description

The plugin does not sanitise and escape its Custom Logo Link settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in the "Custom Logo Link" settings: <script>alert(/XSS/)</script>

The XSS will be triggered in the login page

Affects Plugins

customize-login-image

Fixed in 3.5.3

References

CVE

CVE-2021-33851

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Cyber Security Works Pvt. Ltd

Verified

Yes

WPVDB ID

c67753fb-9111-453e-951f-854c6ce31203

Timeline

Publicly Published

2021-12-02 (about 4 years ago)

Added

2022-03-09 (about 4 years ago)

Last Updated

2022-04-08 (about 4 years ago)

Other

Published

Title

Published

2024-03-29

Title

Favorites < 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2023-10-02

Title

Locations <= 4.0 - Contributor+ Stored XSS

Published

2024-10-31

Title

amazing neo icon font for elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-19

Title

Cost Calculator Builder < 3.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-07-24

Title

Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Title