WordPress Plugin Vulnerabilities

Multisite Content Copier/Updater < 2.1.0 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the wmcc_content_type, wmcc_source_blog and wmcc_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
wp-multisite-content-copier-pro
Fixed in 2.1.0

References

CVE
CVE-2021-25039
URL
https://www.hackpertise.com/cve/26-cve-2021-25039/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
c92eb2bf-0a5d-40b9-b0be-1820e7b9bebb

Timeline

Publicly Published
2022-02-07 (about 3 years ago)
Added
2022-02-07 (about 3 years ago)
Last Updated
2023-04-12 (about 2 years ago)

Other

Published
Title
Published
2025-01-06
Title
GDY Modular Content < 0.9.93 - Reflected Cross-Site Scripting
Published
2025-06-19
Title
CSV Importer Improved <= 0.6.1 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2024-04-22
Title
Exclusive Addons for Elementor < 2.6.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Expired Title
Published
2024-04-25
Title
WishSuite < 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-29
Title
MemberPress < 1.11.30 - Reflected Cross-Site Scripting via mepr_screenname and mepr_key Parameters