Buttonizer – Smart Floating Action Button < 2.5.5 – Admin+ Stored Cross-Site Scripting | CVE 2021-24992 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Add/edit a new button, set its Button action to "Website URL" and add the following payload as URL: javascript:alert(/XSS/)

As label, the following payload can be used as well: <img src onerror=alert(/XSS-Label/)>

Publish it and the XSS will be triggered when viewing the page with the button (w/o user interaction for the XSS in the label field, while clicking on it for the XSS in the URL)

Affects Plugins

buttonizer-multifunctional-button

Fixed in 2.5.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dipak Panchal

Submitter

th3.d1p4k

Submitter twitter

Verified

Yes

WPVDB ID

db0b9480-2ff4-423c-a745-68e983ffa12b

Timeline

Publicly Published

2021-11-29 (about 4 years ago)

Added

2021-11-29 (about 4 years ago)

Last Updated

2022-04-10 (about 3 years ago)

Other

Published

Title

Published

2025-01-24

Title

Etsy Importer <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2016-10-04

Title

Portfolio <= 2.1.10 - Reflected Cross-Site Scripting (XSS)

Published

2025-09-10

Title

Digital Events Calendar <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via column Parameter

Published

2025-01-14

Title

Giga Messenger Bots <= 2.3.1 - Reflected XSS

Published

2024-01-03

Title

Keap Official Opt-in Forms <= 2.0.3 - Contributor+ Stored XSS