Flat Preloader < 1.5.5 – Admin+ Stored Cross-Site Scripting | CVE 2021-24789

Description

The plugin does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Put the following payload in the "Alt text" setting of the plugin, then view any page in the frontend to trigger it: " onload=alert(/XSS/)//

Affects Plugins

flat-preloader

Fixed in 1.5.5

References

CVE

CVE-2021-24789

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.8 (medium)

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

e8550ccd-3898-4e27-aca9-ade89823ff4d

Timeline

Publicly Published

2021-09-28 (about 4 years ago)

Added

2021-09-28 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2015-08-05

Title

WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)

Published

2022-07-28

Title

VR Calendar < 2.3.1 - Reflected Cross-Site Scripting

Published

2016-02-04

Title

Universal Analytics <= 1.3.0 - Authenticated Cross-Site Scripting (XSS)

Published

2014-08-01

Title

JS External Link Info 1.21 - redirect.php blog Parameter XSS

Published

2025-01-16

Title

NoFollow Free <= 1.6.3 - Reflected Cross-Site Scripting