Virtual Robots.txt < 1.10 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-28121 | Plugin Vulnerabilities

Description

The plugin did not sanitise the content of the robots.txt, allowing high privilege users (admin+) to use XSS payloads, which will be output back in the settings page of the plugin.

Proof of Concept

Put the following directive in the plugin settings "User Agents and Directives for this site"

Disallow: /wp-register.php</textarea></td></tr><script>alert(1);</script>

Affects Plugins

Fixed in 1.10

References

CVE

URL

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28638

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Martin Vierula of Trustwave SpiderLabs Security

Verified

Yes

WPVDB ID

cdd5c7a9-ca6d-40d9-9a38-650b4c8e1305

Timeline

Publicly Published

2021-03-29 (about 5 years ago)

Added

2021-04-01 (about 5 years ago)

Last Updated

2021-04-04 (about 5 years ago)

Other

Published

Title

Published

2026-01-08

Title

Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2023-10-12

Title

Simple Tweet <= 1.4.0.2 - Admin+ Stored XSS

Published

2025-07-23

Title

Voltax Video Player <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Published

2026-03-12

Title

Everest Forms Pro < 1.9.13 - Unauthenticated Stored Cross-Site Scripting

Published

2025-10-21

Title

Playerzbr <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via URL Meta Field