Per Page Add to Head <= 1.4.4 – Authenticated Stored XSS | CVE 2021-24619

Description

The plugin does not properly sanitise one of its setting, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues.

Note: The plugin is no longer maintained.

Proof of Concept

Put the following payload in the HTML setting of the plugin, then access any page in the frontend to trigger it: <img src onerror=alert(/XSS/)>

Affects Plugins

per-page-add-to

No known fix

References

CVE

CVE-2021-24619

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Prashant Karman Patel

Submitter

Prashant Karman Patel

Submitter twitter

parsh_patel

Verified

Yes

WPVDB ID

f360f383-0646-44ca-b49e-e2258dfbf3a6

Timeline

Publicly Published

2021-08-11 (about 4 years ago)

Added

2021-08-11 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2025-02-24

Title

Quotes llama < 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-01-13

Title

PublishPress Capabilities < 2.3.3 - Reflected Cross-Site Scripting

Published

2025-05-19

Title

Visual Composer Website Builder < 45.12.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2019-08-04

Title

Rencontre < 3.2 - Authenticated Stored XSS via textmail & textanniv Parameters

Published

2014-08-01

Title

EELV Newsletter 3.4.3 - lettreinfo.php Unspecified XSS