iFlyChat – WordPress Chat < 4.7.0 – Admin+ Stored Cross-Site Scripting (XSS) | CVE 2021-24343

Description

The plugin does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue

Proof of Concept

Enter the following payload in the "APP ID" field of the plugin settings (wp-admin/options-general.php?page=iflychat_settings): +xss"/><script>alert(1)</script>

Affects Plugins

iflychat

Fixed in 4.7.0

References

CVE

CVE-2021-24343

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Kishore Hariram

Submitter

kishore hariram

Submitter twitter

kishorehariram

Verified

Yes

WPVDB ID

d6c72d90-e321-47b9-957a-6fea7c944293

Timeline

Publicly Published

2021-05-24 (about 3 years ago)

Added

2021-05-24 (about 3 years ago)

Last Updated

2022-02-02 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Wordfence 3.8.6 - lib/IPTraf.php User-Agent Header Stored XSS

Published

2022-02-17

Title

WP Statistics < 13.1.6 - Multiple Unauthenticated Stored Cross-Site Scripting

Published

2023-01-05

Title

Widgets for Google Reviews < 9.8 - Contributor+ Stored XSS

Published

2021-10-27

Title

Registrations for The Events Calendar < 2.7.5 - Reflected Cross-Site Scripting

Published

2024-02-26

Title

Configure SMTP <= 3.1 - Reflected Cross-Site Scripting