Content Staging <= 2.0.1 – Admin+ Stored Cross-Site Scripting | CVE 2021-39356 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo’d out via the ~/templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

content-staging

No known fix

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39356

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thinkland Security Team

Verified

No

WPVDB ID

d75924eb-57a7-4a15-a3eb-6258f279c3ab

Timeline

Publicly Published

2021-10-18 (about 4 years ago)

Added

2021-10-18 (about 4 years ago)

Last Updated

2022-04-09 (about 4 years ago)

Other

Published

Title

Published

2024-08-09

Title

Mediavine Control Panel < 2.10.5 - Contributor+ Stored XSS

Published

2025-01-07

Title

Qr Code and Barcode Scanner Reader <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-25

Title

WS Form LITE < 1.9.244 - Unauthenticated Stored Cross-Site Scripting

Published

2024-11-08

Title

Mapme <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-14

Title

Navigation Du Lapin Blanc <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting