WordPress Plugin Vulnerabilities

Content Copy Protection & Prevent Image Save <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)

Description

The plugin does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them.

Proof of Concept

Affects Plugins

Plugin icon
prevent-content-copy-image-save
No known fix

References

CVE
CVE-2021-24333
URL
https://m0ze.ru/exploit/csrf-prevent-content-copy-image-save-v1.3.html
URL
https://m0ze.ru/vulnerability/[2021-03-29]-[WordPress]-[CWE-352]-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt
URL
https://m0ze.ru/vulnerability/[2021-03-29]-[WordPress]-[CWE-79]-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt
YouTube Video

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified
Yes
WPVDB ID
c722f8d0-f86b-41c2-9f1f-48e475e22864

Timeline

Publicly Published
2021-04-12 (about 4 years ago)
Added
2021-05-17 (about 4 years ago)
Last Updated
2021-05-24 (about 4 years ago)

Other

Published
Title
Published
2025-08-28
Title
Ultimate Tag Warrior Importer <= 0.2 - Cross-Site Request Forgery
Published
2023-05-24
Title
Flickr Justified Gallery <= 3.5 - Cross-Site Request Forgery
Published
2024-07-19
Title
WP Fast Total Search < 1.70.236 - Cross-Site Request Forgery
Published
2024-11-01
Title
FraudLabs Pro SMS Verification < 1.10.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-05-07
Title
워드프레스 결제 심플페이 < 5.3.3 - Cross-Site Request Forgery