WordPress Plugin Vulnerabilities

WP Hardening < 1.2.2 - Reflected XSS via historyvalue

Description

The plugin did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue.

Proof of Concept

Affects Plugins

Plugin icon
wp-security-hardening
Fixed in 1.2.2

References

CVE
CVE-2021-24373

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
fcf17278-609f-4f75-8a87-9b4579dee1c8

Timeline

Publicly Published
2021-06-07 (about 4 years ago)
Added
2021-06-07 (about 4 years ago)
Last Updated
2022-01-02 (about 4 years ago)

Other

Published
Title
Published
2023-09-04
Title
Atarim < 3.9.4 - Admin+ Stored XSS
Published
2025-06-19
Title
IP Based Login < 2.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2021-10-04
Title
Cardinity Payment Gateway for WooCommerce < 3.0.7 - Reflected Cross-Site Scripting
Published
2025-11-20
Title
WPBookit < 1.0.7 - Unauthenticated Stored Cross-Site Scripting
Published
2025-12-15
Title
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin < 4.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes