WordPress Plugin Vulnerabilities

Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin was vulnerable to Stored Cross-Site Scripting (XSS) in the "hotjar script" textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users.

Proof of Concept

Step 1: Install and activate the plugin "Hotjar Connecticator"

Step 2: Now enter the following script on the "Hotjar script" text field.

abc</textarea><script>alert(xss)</script>

Step 3: Now we can see the script is stored and executed all the when we visit the website.

Affects Plugins

Plugin icon
hotjar-connecticator
No known fix

References

CVE
CVE-2021-24301

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Kishore Hariram
Submitter
Kishore Hariram
Submitter twitter
kishorehariram
Verified
Yes
WPVDB ID
eb8e2b9d-f153-49c9-862a-5c016934f9ad

Timeline

Publicly Published
2021-05-04 (about 3 years ago)
Added
2021-05-06 (about 3 years ago)
Last Updated
2021-05-07 (about 3 years ago)

Other

Published
Title
Published
2022-09-26
Title
Meks Easy Social Share < 1.2.8 - Admin+ Stored Cross-Site Scripting
Published
2024-03-13
Title
Elementor Addons by Livemesh < 8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Slider Widget
Published
2023-06-21
Title
WooCommerce Product Vendors < 2.1.77 - Reflected XSS
Published
2023-06-08
Title
WP Mail Logging < 1.11.2 - Unauthenticated Stored Cross-Site Scripting
Published
2023-03-14
Title
Embed Any Document < 2.7.2 - Author+ Stored XSS