WordPress Plugin Vulnerabilities

Stop Spammers Security < 2021.18 - Authenticated Stored XSS

Description

The plugin does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html capability is disallowed

Proof of Concept

Affects Plugins

Plugin icon
stop-spammer-registrations-plugin
Fixed in 2021.18

References

CVE
CVE-2021-24517

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
swapnil subhash bodekar
Submitter
swapnil subhash bodekar
Verified
Yes
WPVDB ID
f440edd8-94fe-440a-8a5b-e3d24dcfcbc1

Timeline

Publicly Published
2021-08-09 (about 4 years ago)
Added
2021-08-09 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2023-08-17
Title
RSVPMarker < 10.6.7 - Unauthenticated Stored XSS
Published
2023-09-21
Title
WP-Matomo Integration (WP-Piwik) < 1.0.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-03-28
Title
Lordicon Animated Icons <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2015-08-24
Title
Googmonify <= 0.5.1 - CSRF & XSS
Published
2020-11-12
Title
Love Travel < 2.0 - Unauthenticated Reflected XSS & XFS