logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Store Locator Plus <= 5.5.15 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

There are several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.

Proof of Concept

The PoC will be displayed once the issue has been remediated

Affects Plugins

store-locator-le

No known fix - plugin closed

References

CVE

CVE-2021-24290

URL

https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

infosecchloe

Verified

Yes

WPVDB ID

dc368484-f2fe-4c76-ba3d-e00e7f633719

Timeline

Publicly Published

2021-04-26 (about 3 months ago)

Added

2021-04-27 (about 2 months ago)

Last Updated

2021-04-27 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin