Post Views Counter < 1.3.5 – Authenticated Stored XSS | CVE 2021-24613 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in the Post Views Label settings of the plugin (?wp-admin/options-general.php?page=post-views-counter&tab=display): <script>alert(/XSS/)</script>

The XSS will be triggered in any posts (by default), but could also be changed to any pages etc.

Affects Plugins

post-views-counter

Fixed in 1.3.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tung Duong Dinh

Submitter

Tung Duong Dinh

Submitter twitter

Verified

Yes

WPVDB ID

0b8c5947-bc73-448e-8f10-a4f4456e4000

Timeline

Publicly Published

2021-08-23 (about 2 years ago)

Added

2021-08-23 (about 2 years ago)

Last Updated

2022-03-07 (about 2 years ago)

Other

Published

Title

Published

2020-07-21

Title

Elementor < 2.9.14 - Authenticated Stored Cross-Site Scripting

Published

2022-05-31

Title

Age Gate < 2.20.4 - Reflected Cross-Site Scripting

Published

2023-01-04

Title

Pricing Tables WordPress Plugin – Easy Pricing Tables < 3.2.3 - Contributor+ Stored XSS via Shortcode

Published

2020-02-27

Title

Modern Events Calendar Lite < 5.1.7 - Multiple Subscriber+ Stored XSS

Published

2024-02-23

Title

WP Event Manager < 3.1.42 - Reflected Cross-Site Scripting via plugin