Backup and Staging by WP Time Capsule < 1.22.7 – Reflected Cross-Site Scripting | CVE 2021-25035 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Once the "Server Requirements" are passed in the initial setup process (you can bypass the check for localhosts by editing the is_localhost function in the same file for testing purpose) the vulnerability can be triggered at any time in an admin's panel using an URI with JavaScript content inserted in the error parameter such as :

https://example.com/wp-admin/admin.php?page=wp-time-capsule&error="><script>alert(/XSS/)</script>&cloud_auth_action=g_drive

Affects Plugins

wp-time-capsule

Fixed in 1.22.7

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2641264

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jeremie Amsellem

Submitter

Jeremie Amsellem

Submitter website

https://fenrir.pro

Submitter twitter

Verified

Yes

WPVDB ID

f426360e-5ba0-4d6b-bfd4-61bc54be3469

Timeline

Publicly Published

2021-12-21 (about 2 years ago)

Added

2021-12-21 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2024-03-26

Title

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels < 4.4.1 - Reflected Cross-Site Scripting

Published

2021-10-18

Title

Client Invoicing by Sprout Invoices < 19.9.7 - Admin+ Stored Cross-Site Scripting

Published

2014-08-01

Title

HMS Testimonials 2.0.10 - XSS

Published

2024-04-25

Title

Newsletter Popup <= 1.2 - Admin+ Stored XSS

Published

2021-11-01

Title

GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting