WordPress Plugin Vulnerabilities

Stop Spammers Security < 2021.18 - Authenticated Stored XSS

Description

The plugin does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in any of the API field of the Web Services settings: " autofocus onfocus="alert(/XSS/)//

Affects Plugins

Plugin icon
stop-spammer-registrations-plugin
Fixed in 2021.18

References

CVE
CVE-2021-24517

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
swapnil subhash bodekar
Submitter
swapnil subhash bodekar
Verified
Yes
WPVDB ID
f440edd8-94fe-440a-8a5b-e3d24dcfcbc1

Timeline

Publicly Published
2021-08-09 (about 2 years ago)
Added
2021-08-09 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2017-12-05
Title
Z-URL Preview < 2.0.0 - Cross-Site Scripting (XSS)
Published
2016-10-10
Title
Photoxhibit <= 2.1.8 - Reflected XSS Issues
Published
2023-10-12
Title
Fast WP Speed <= 1.0.0 - Reflected XSS
Published
2019-02-16
Title
Launcher: Coming Soon & Maintenance Mode <= 1.0.10 - Multiple Stored XSS
Published
2020-08-29
Title
Real Estate 7 < 3.0.5 - Unauthenticated Reflected XSS