WordPress Plugin Vulnerabilities

Alojapro Widget < 1.1.16 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Affects Plugins

Plugin icon
alojapro-widget
Fixed in 1.1.16

References

CVE
CVE-2021-24530

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.8 (low)

Miscellaneous

Original Researcher
xiahao
Submitter
xiahao
Submitter twitter
lAmn9V6MU9Dfb8p
Verified
Yes
WPVDB ID
caf36ca5-aafd-48bd-a1e5-30f3973d8eb8

Timeline

Publicly Published
2021-07-29 (about 4 years ago)
Added
2021-08-19 (about 4 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2024-01-09
Title
Contact Form 7 Connector < 1.2.3 - Reflected XSS
Published
2025-06-05
Title
WP Biographia <= 4.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2022-06-21
Title
Very Simple Breadcrumb <= 1.0 - Admin+ Stored Cross-Site Scripting
Published
2025-11-10
Title
WP BBCode <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-11-10
Title
WP Project Manager < 2.4.14 - Authenticated Stored Cross-Site Scripting