Lucene search
Ceylan BozogullarindanWPEX-ID:7B80F89B-E724-41C5-AA03-21D1EEF50F21HistoryJan 11, 2022 - 12:00 a.m.
Mortgage Calculators WP < 1.56 - Admin+ Stored Cross-Site Scripting
2022-01-1100:00:00
Ceylan Bozogullarindan
84
mortgage calculators
cross-site scripting
admin
settings
payload
shortcode
exploit
EPSS
0.001
Percentile
38.3%
The plugin does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. Go to settings page available under the "Calculator" menu item.
2. Click the "Select Color" button and type the following payload the input space: </style></head><script>alert(/XSS/)</script>
3. Click the "Save Changes" button to save settings.
4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing.
5. Visit the page to trigger XSS.Related
wpvulndb
wpvulndb
Mortgage Calculators WP < 1.56 - Admin+ Stored Cross-Site Scripting
2022-01-11 00:00:00
prion
prion
Cross site scripting
2022-02-14 12:15:00
zdt
zdt
cnvd
cnvd
WordPress Mortgage Calculators WP Cross-Site Scripting Vulnerability
2022-03-08 00:00:00
cvelist
cvelist
patchstack
patchstack
nvd
nvd
CVE-2021-24904
2022-02-14 12:15:14
packetstorm
packetstorm
WordPress Mortgage Calculators WP 1.52 Cross Site Scripting
2022-01-27 00:00:00
cve
cve
CVE-2021-24904
2022-02-14 12:15:14
exploitdb
exploitdb