WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Custom Dashboard & Login Page < 7.0 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Note: v6.9.5 made the settings only available to admin with the unfiltered_html capability, however existing payloads were not sanitised and there was no simple way to remove them other than editing the settings directly in the DB.

Proof of Concept

Put the following payload in the "Change version text"or "Change footer text" setting of the plugin (/wp-admin/tools.php?page=ag-custom-admin%2Fplugin.php#admin-footer-settings): <img src=x onerror=alert(/XSS/)>

The XSS will be triggered in all admin pages

Affects Plugins

ag-custom-admin
Fixed in version 7.0

References

CVE
CVE-2021-24944

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

0ppr2s

Submitter

dnr6419

Verified

Yes

WPVDB ID
d1bfdce3-89bd-441f-8ebb-02cf0ff8b6cc

Timeline

Publicly Published

2021-12-30 (about 1 years ago)

Added

2021-12-30 (about 1 years ago)

Last Updated

2022-04-13 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin