Themify Portfolio Post < 1.1.6 – Authenticated Stored Cross-Site Scripting | CVE 2021-24129 | Plugin Vulnerabilities

Description

Stored Cross-Site Scripting vulnerabilities in Themify Portfolio Post <= 1.1.5 allow low-privileged users (Contributor+) to inject arbitrary Javascript code or HTML in posts where the Themify Custom Panel is embedded.

Proof of Concept

1. As a contributor, go into "Portfolios" tab from the sidebar and create a new Portfolios

2. In the Themify Custom Panel section, Input an XSS vector to :
- Date
- Client
- Services
- Link to Launch

ex: <img src=x onerror=alert(origin)>

3. Publish/Send for review and visit created post/preview as editor/admin to trigger XSS.

Affects Plugins

themify-portfolio-post

Fixed in 1.1.6

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2431145/themify-portfolio-post/trunk/includes/themify-metabox/includes/themify-metabox-core.php?old=2393969

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)

Submitter

Nguyen Anh Tien

Submitter website

https://research.sun-asterisk.com/

Submitter twitter

Verified

Yes

WPVDB ID

c8537e5f-1948-418b-9d29-3cf50cd8f9a6

Timeline

Publicly Published

2020-12-04 (about 5 years ago)

Added

2020-12-04 (about 5 years ago)

Last Updated

2021-01-22 (about 4 years ago)

Other

Published

Title

Published

2022-07-29

Title

Simple SEO < 1.7.92 - Contributor+ Stored Cross-Site Scripting

Published

2025-07-16

Title

JetBlocks For Elementor < 1.3.19.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

IFrame Admin Pages <= 0.1 - Cross Site Scripting

Published

2019-11-14

Title

Blog2Social < 5.9.0 - Cross-Site Scripting Issue

Published

2021-08-10

Title

Quiz And Survey Master < 7.1.14 - Reflected Cross-Site Scripting