WordPress Plugin Vulnerabilities

Bookshelf <= 2.0.4 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
bookshelf
No known fix

References

CVE
CVE-2021-24478

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
abisheikmagesh
Verified
Yes
WPVDB ID
c73818e5-0734-46c9-9703-d211b4f58664

Timeline

Publicly Published
2021-06-28 (about 4 years ago)
Added
2021-06-28 (about 4 years ago)
Last Updated
2022-01-02 (about 3 years ago)

Other

Published
Title
Published
2021-10-18
Title
Leaky Paywall < 4.16.7 - Admin+ Stored Cross-Site Scripting
Published
2025-03-25
Title
Advanced Woo Search < 3.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via aws_search_terms Shortcode
Published
2024-01-17
Title
Albo Pretorio Online <= 4.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-12
Title
Html5 Audio Player < 2.1.12 - Contributor+ Stored XSS
Published
2025-10-16
Title
tagDiv Cloud Library < 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting