Flat Preloader < 1.5.5 – Admin+ Stored Cross-Site Scripting | CVE 2021-24789

Description

The plugin does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Put the following payload in the "Alt text" setting of the plugin, then view any page in the frontend to trigger it: " onload=alert(/XSS/)//

Affects Plugins

flat-preloader

Fixed in 1.5.5

References

CVE

CVE-2021-24789

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.8 (medium)

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

e8550ccd-3898-4e27-aca9-ade89823ff4d

Timeline

Publicly Published

2021-09-28 (about 2 years ago)

Added

2021-09-28 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

q2w3-inc-manager <= 2.3.1 - XSS in ZeroClipboard

Published

2024-04-22

Title

GeoDirectory – WordPress Business Directory Plugin, or Classified Directory < 2.3.49 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'gd_single_tabs' Shortcode

Published

2023-09-18

Title

Poptin < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2014-08-01

Title

FunCaptcha 0.4.3 - wp_funcaptcha_admin_activate.php URI XSS

Published

2022-05-31

Title

Spectra < 1.25.6 - Reflected Cross-Site Scripting