WordPress Plugin Vulnerabilities

Wonder PDF Embed < 1.7 - Contributor+ Stored XSS

Description

The plugin does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.

Proof of Concept

[wonderplugin_pdf src="a" onload="alert(1)"]

Affects Plugins

Plugin icon
wonderplugin-pdf-embed
Fixed in 1.7

References

CVE
CVE-2021-24541

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
e6602369-87f4-4454-8298-89cc69f8375c

Timeline

Publicly Published
2021-07-19 (about 2 years ago)
Added
2021-07-19 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2014-10-18
Title
Contact Form Integrated With Google Maps 1.0-2.4 - Stored Cross-Site Scripting (XSS)
Published
2022-02-22
Title
Header Footer Code Manager < 1.1.17 - Reflected Cross-Site Scripting
Published
2023-08-11
Title
Flowpaper < 2.0.0 - Contributor+ Stored XSS
Published
2023-04-24
Title
Tablesome < 1.0.9 - Reflected XSS
Published
2022-04-19
Title
BMI BMR Calculator <= 1.3 - Reflected Cross-Site Scripting