WordPress Plugin Vulnerabilities

WPeMatico RSS Feed Fetcher < 2.6.12 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Create/edit a campaign and add the following feed URL: https://wordpress.com/#"><script>alert('xss')</script>

The XSS will be triggered when editing the campaign again or run it.

Affects Plugins

Plugin icon
wpematico
Fixed in 2.6.12

References

CVE
CVE-2021-24793

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Huy Nguyen
Submitter
Huy Nguyen
Submitter website
https://www.linkedin.com/in/id-laladee/
Verified
Yes
WPVDB ID
eeedbb3b-ae10-4472-a1d3-f196f95b9d96

Timeline

Publicly Published
2021-09-29 (about 2 years ago)
Added
2021-09-29 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2022-05-19
Title
Google Tag Manager for WordPress < 1.15.1 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
FlagEm - flagit.php cID Parameter XSS
Published
2023-10-13
Title
LeadSquared Suite <= 0.7.4 - Admin+ Stored XSS
Published
2022-11-21
Title
Jetpack CRM < 5.4.3 - Admin+ Cross-Site Scripting
Published
2022-01-13
Title
PublishPress Capabilities < 2.3.3 - Reflected Cross-Site Scripting