WP Config File Editor <= 1.7.1 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24367 | Plugin Vulnerabilities

Description

The WP Config File Editor WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability.

By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed.

Proof of Concept

Go to Tools->Profile->Create and enter a JavaScript payload in the Name parameter.

Specifically, the profileForm[name] parameter of the wcfe-services-profiles-services-profiles-ajaxview POST action.

Affects Plugins

wp-config-file-editor

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

blackangel

Verified

Yes

WPVDB ID

f35b7c8f-cfb6-42b6-8a3a-8c07cd1e9da0

Timeline

Publicly Published

2021-05-31 (about 4 years ago)

Added

2021-06-07 (about 4 years ago)

Last Updated

2021-08-10 (about 4 years ago)

Other

Published

Title

Published

2024-06-10

Title

Custom Field Template < 2.6.2 - Authenticated (Admin+) Stored Cross-Site Scritping

Published

2015-09-12

Title

Royal Slider <= 3.2.6 - Authenticated Cross-Site Scripting (XSS)

Published

2025-04-17

Title

Bulk Page Stub Creator < 1.2 - Reflected Cross-Site Scripting

Published

2025-07-24

Title

Injection Guard < 1.2.8 - Reflected XSS via $_SERVER['REQUEST_URI']

Published

2024-08-07

Title

Fuse Social Floating Sidebar < 5.4.11 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload