Daily Prayer Time < 2021.08.10 – Admin+ Stored XSS | CVE 2021-24523 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues.

Proof of Concept

Put the following payload in the Fajr, Sunrise, Zuhr, Asr, Maghrib and/or Isha field of the Language settings of the plugin (/wp-admin/admin.php?page=dpt#tabs-2): <img/src/onerror=prompt(/XSS/)>

The XSS will be triggered in the plugin's settings, as well as any post/page with the [monthlytable] embed

Affects Plugins

daily-prayer-time-for-mosques

Fixed in 2021.08.10

References

CVE

URL

https://www.hackpertise.com/cve/11-cve-2021-24523/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

832fe086-1d33-430b-bdb5-e444761576b2

Timeline

Publicly Published

2021-08-10 (about 2 years ago)

Added

2021-08-10 (about 2 years ago)

Last Updated

2023-04-12 (about 1 years ago)

Other

Published

Title

Published

2023-11-08

Title

WooCommerce Product Enquiry <= 2.3.4 - Unauthenticated Stored XSS

Published

2021-03-17

Title

Elementor < 3.1.4 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element

Published

2022-06-02

Title

Mihdan: No External Links < 5.0.2 - Admin+ Stored Cross-Site Scripting

Published

2022-01-03

Title

Visual CSS Style Editor < 7.5.4 - Reflected Cross-Site Scripting

Published

2024-03-15

Title

WP Calameo < 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting