SMS Alert Order Notifications – WooCommerce < 3.4.7 Authenticated Cross Site Scripting | CVE 2021-24588

Description

The plugin is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page.

Proof of Concept

Enter the payload below for the "SMS Alert Username" in the plugin's settings.

"+onfocus="alert(1)"+autofocus="

You will observe that the  JavaScript payload successfully got reflected is and we are getting a pop-up.

Affects Plugins

sms-alert

Fixed in 3.4.7

References

CVE

CVE-2021-24588

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.8 (low)

Miscellaneous

Original Researcher

swapnil bodekar

Submitter

swapnil bodekar

Verified

WPVDB ID

dc2ce546-9da1-442c-8ee2-cd660634501f

Timeline

Publicly Published

2021-08-02 (about 4 years ago)

Added

2021-08-03 (about 4 years ago)

Last Updated

2022-02-24 (about 3 years ago)

Other

Published

Title

Published

2025-01-16

Title

wp_amaps <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-10

Title

Raptive Ads < 3.7.4 - Reflected Cross-Site Scripting

Published

2025-10-29

Title

WooCommerce < 10.0.3 - Shop manager+ Stored XSS

Published

2024-05-01

Title

Sydney Toolbox < 1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-24

Title

Magazine Blocks < 1.3.18 - Authenticated (Contributor+) Stored Cross-Site Scripting