Custom Dashboard & Login Page < 7.0 – Admin+ Stored Cross-Site Scripting | CVE 2021-24944 | Plugin Vulnerabilities

Description

The plugin does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Note: v6.9.5 made the settings only available to admin with the unfiltered_html capability, however existing payloads were not sanitised and there was no simple way to remove them other than editing the settings directly in the DB.

Proof of Concept

Put the following payload in the "Change version text"or "Change footer text" setting of the plugin (/wp-admin/tools.php?page=ag-custom-admin%2Fplugin.php#admin-footer-settings): <img src=x onerror=alert(/XSS/)>

The XSS will be triggered in all admin pages

Affects Plugins

ag-custom-admin

Fixed in 7.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

0ppr2s

Submitter

dnr6419

Verified

Yes

WPVDB ID

d1bfdce3-89bd-441f-8ebb-02cf0ff8b6cc

Timeline

Publicly Published

2021-12-30 (about 2 years ago)

Added

2021-12-30 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2024-03-25

Title

Podlove Web Player < 5.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-01-03

Title

Members Import <= 1.4.2 - XSS via Imported CSV

Published

2024-04-22

Title

Royal Elementor Addons and Templates < 1.3.972 - Contributor+ Stored Cross-Site Scripting via Flip Carousel, Flip Box, Post Grid, and Taxonomy List Widget Attributes

Published

2023-06-13

Title

Login Configurator <= 2.1 - Admin+ Stored Cross-Site Scripting

Published

2021-09-09

Title

On Page SEO + Whatsapp Chat Button < 1.0.2 - Reflected Cross-Site Scripting