Lucene search

K
wpexploitApple502jWPEX-ID:A092548F-1AD5-44D3-9901-CDF4EBCEE40A
HistoryAug 30, 2021 - 12:00 a.m.

CoolClock < 4.3.5 - Contributor+ Stored Cross-Site Scripting

2021-08-3000:00:00
apple502j
268

0.001 Low

EPSS

Percentile

24.8%

The plugin does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks

As a user with a role as low as contributor, put the following shortcode in a post/page and view/preview it to trigger the XSS (which is specific to the TwentyTwentuOne theme but could be changed)

[coolclock fontcolor='orange" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//']

0.001 Low

EPSS

Percentile

24.8%

Related for WPEX-ID:A092548F-1AD5-44D3-9901-CDF4EBCEE40A