Client Invoicing by Sprout Invoices < 19.9.7 – Admin+ Stored Cross-Site Scripting | CVE 2021-24787 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in one of the vulnerable fields in the General Settings of the plugin (/wp-admin/admin.php?page=sprout-invoices-settings): "><script>alert(/XSS/)</script>

Vulnerable fields:
1. Company Name
2. Contact Email
3. Phone
4. Fax
5. First Name
6. Last Name
7. City
8. Zip code

Affects Plugins

sprout-invoices

Fixed in 19.9.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dipak Panchal

Submitter

Dipak Panchal

Submitter twitter

Verified

Yes

WPVDB ID

c89bf498-f384-49de-820e-6cbd70390db2

Timeline

Publicly Published

2021-10-18 (about 2 years ago)

Added

2021-10-18 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2022-11-03

Title

Fancier Author Box by ThematoSoup <= 1.4 - Admin+ Stored XSS

Published

2014-08-01

Title

Expose - Unspecified XSS

Published

2024-03-25

Title

Easy Social Feed < 6.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via fb_appid

Published

2014-08-01

Title

drp-coupon <= 2.1 - XSS in ZeroClipboard

Published

2024-04-24

Title

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) < 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sina Fancy Text Widget