WordPress Plugin Vulnerabilities

SMS Alert Order Notifications – WooCommerce < 3.4.7 Authenticated Cross Site Scripting

Description

The plugin is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page.

Proof of Concept

Enter the payload below for the "SMS Alert Username" in the plugin's settings.

"+onfocus="alert(1)"+autofocus="

You will observe that the  JavaScript payload successfully got reflected is and we are getting a pop-up.

Affects Plugins

sms-alert

Fixed in version 3.4.7

References

CVE

CVE-2021-24588

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

swapnil bodekar

Submitter

swapnil bodekar

Verified

WPVDB ID

dc2ce546-9da1-442c-8ee2-cd660634501f

Timeline

Publicly Published

2021-08-02 (about 1 years ago)

Added

2021-08-03 (about 1 years ago)

Last Updated

2022-02-24 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin