WordPress Plugin Vulnerabilities

WPvivid Backup and Migration Plugin < 0.9.69 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
wpvivid-backuprestore
Fixed in 0.9.69

References

CVE
CVE-2021-24994

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
ea74257a-f6b0-49e9-a81f-53c0eb81b1da

Timeline

Publicly Published
2022-01-31 (about 3 years ago)
Added
2022-01-31 (about 3 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2023-06-21
Title
Gravity Forms < 2.7.5 - Reflected XSS
Published
2025-02-20
Title
Limit Bio <= 1.0 - Stored XSS via CSRF
Published
2025-02-18
Title
XV Random Quotes <= 1.40 - Reflected XSS
Published
2022-01-19
Title
Shield Security < 13.0.6 - Admin+ Stored Cross-Site Scripting
Published
2022-06-20
Title
Shortcodes and extra features for Phlox theme < 2.9.8 - Reflected Cross-Site-Scripting