WordPress Plugin Vulnerabilities

WordPress Popular Posts < 5.3.4 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the widget-wpp[2][post_type] parameter before outputting it in the page, which could lead to a Stored Cross-Site Scripting issue

Affects Plugins

Plugin icon
wordpress-popular-posts
Fixed in 5.3.4

References

CVE
CVE-2021-36872

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Visse
Verified
No
WPVDB ID
f1569584-e829-4d09-9535-bd5b11331339

Timeline

Publicly Published
2021-07-03 (about 4 years ago)
Added
2021-09-23 (about 4 years ago)
Last Updated
2022-04-09 (about 4 years ago)

Other

Published
Title
Published
2024-07-01
Title
Media Library Assistant < 3.18 - Reflected Cross-Site Scripting
Published
2026-02-13
Title
Citations tools <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute
Published
2024-10-15
Title
Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
Published
2024-10-29
Title
WPAdverts – Classifieds Plugin < 2.1.7 - Unauthenticated Stored Cross-Site Scripting via adverts_add Shortcode
Published
2022-06-14
Title
WordPress Real Cookie Banner < 2.18.2 - Reflected Cross-Site Scripting