WordPress Plugin Vulnerabilities

Glass <= 1.3.2 - CSRF to Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
glass
No known fix

References

CVE
CVE-2021-24434

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
abisheikmagesh
Verified
Yes
WPVDB ID
dbea2dc2-83f6-4e70-b044-a68a4c9b9c39

Timeline

Publicly Published
2021-06-21 (about 4 years ago)
Added
2021-06-21 (about 4 years ago)
Last Updated
2021-06-25 (about 4 years ago)

Other

Published
Title
Published
2024-07-11
Title
Typebot < 3.6.1 - Contributor+ Stored XSS
Published
2025-01-13
Title
HTML5 Video Player – mp4 Video Player Plugin and Block < 2.5.36 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via heading Parameter
Published
2023-05-11
Title
DevBuddy Twitter Feed <= 4.0.0 - Admin+ Stored XSS
Published
2024-10-17
Title
Parcel Pro < 1.9.0 - Reflected Cross-Site Scripting
Published
2024-01-16
Title
BA Plus <= 1.0.3 - Reflected Cross-Site Scripting