WordPress Plugin Vulnerabilities

Bookshelf <= 2.0.4 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
bookshelf
No known fix

References

CVE
CVE-2021-24478

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
abisheikmagesh
Verified
Yes
WPVDB ID
c73818e5-0734-46c9-9703-d211b4f58664

Timeline

Publicly Published
2021-06-28 (about 4 years ago)
Added
2021-06-28 (about 4 years ago)
Last Updated
2022-01-02 (about 4 years ago)

Other

Published
Title
Published
2024-09-30
Title
BA Book Everything < 1.6.21 - Reflected Cross-Site Scripting
Published
2025-01-24
Title
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels < 4.7.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting
Published
2025-03-27
Title
Comment Approved Notifier Extended < 5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-03-18
Title
RDP Linkedin Login <= 1.7.0 - Reflected Cross-Site Scripting
Published
2024-10-21
Title
WPKoi Templates for Elementor < 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting