WordPress Plugin Vulnerabilities

Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin was vulnerable to Stored Cross-Site Scripting (XSS) in the "hotjar script" textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users.

Proof of Concept

Affects Plugins

Plugin icon
hotjar-connecticator
No known fix

References

CVE
CVE-2021-24301

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Kishore Hariram
Submitter
Kishore Hariram
Submitter twitter
kishorehariram
Verified
Yes
WPVDB ID
eb8e2b9d-f153-49c9-862a-5c016934f9ad

Timeline

Publicly Published
2021-05-04 (about 4 years ago)
Added
2021-05-06 (about 4 years ago)
Last Updated
2021-05-07 (about 4 years ago)

Other

Published
Title
Published
2025-09-22
Title
WP Category Dropdown <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2015-08-09
Title
Bookmarkify <= 2.9.2 - Cross-Site Scripting (XSS) & CSRF
Published
2025-08-22
Title
Recurring PayPal Donations < 1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-12-26
Title
Back Button Widget < 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-10-03
Title
WordPress Captcha Plugin by Captcha Bank <= 4.0.36 - Reflected Cross-Site Scripting