Lucene search
Tung Duong DinhWPVDB-ID:0B8C5947-BC73-448E-8F10-A4F4456E4000HistoryAug 23, 2021 - 12:00 a.m.
Post Views Counter < 1.3.5 - Authenticated Stored XSS
2021-08-2300:00:00
Tung Duong Dinh
wpscan.com
10
post views counter
authenticated stored xss
cross-site scripting attacks
frontend
unfiltered_html capability
EPSS
0.001
Percentile
24.8%
The plugin does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
PoC
Put the following payload in the Post Views Label settings of the plugin (?wp-admin/options-general.php?page=post-views-counter&tab;=display): The XSS will be triggered in any posts (by default), but could also be changed to any pages etc.
Related
prion
prion
Cross site scripting
2021-09-20 10:15:00
cvelist
cvelist
CVE-2021-24613 Post Views Counter < 1.3.5 - Authenticated Stored XSS
2021-09-20 10:06:35
cve
cve
CVE-2021-24613
2021-09-20 10:15:09
wpexploit
wpexploit
Post Views Counter < 1.3.5 - Authenticated Stored XSS
2021-08-23 00:00:00
openvas
openvas
WordPress Post Views Counter Plugin < 1.3.5 XSS Vulnerability
2021-10-12 00:00:00
nvd
nvd
CVE-2021-24613
2021-09-20 10:15:09