WordPress Plugin Vulnerabilities

iFlyChat – WordPress Chat < 4.7.0 - Admin+ Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
iflychat
Fixed in 4.7.0

References

CVE
CVE-2021-24343

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Kishore Hariram
Submitter
kishore hariram
Submitter twitter
kishorehariram
Verified
Yes
WPVDB ID
d6c72d90-e321-47b9-957a-6fea7c944293

Timeline

Publicly Published
2021-05-24 (about 4 years ago)
Added
2021-05-24 (about 4 years ago)
Last Updated
2022-02-02 (about 3 years ago)

Other

Published
Title
Published
2023-07-18
Title
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Published
2024-03-25
Title
HT Mega < 2.4.4 - Contributor+ Stored XSS
Published
2015-06-18
Title
Ultimate Member 1.2.98-1.2.994 - Reflected Cross-Site Scripting (XSS)
Published
2015-05-06
Title
Facebook Page Photo Gallery <= 2.0.9 - DOM Cross-Site Scripting (XSS)
Published
2014-12-16
Title
Better Search < 1.3.5 - Reflected Cross-Site Scripting (XSS)