Lucene search
Apple502jWPVDB-ID:0D422397-69FF-4D05-AAFA-7A572E460E5FHistoryOct 18, 2021 - 12:00 a.m.
QR Redirector < 1.6.1 - Contributor+ Stored Cross-Site Scripting
2021-10-1800:00:00
apple502j
wpscan.com
6
qr redirector
stored cross-site scripting
contributor
cross-site scripting
plugin
EPSS
0.001
Percentile
24.8%
The plugin does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks.
PoC
As a contributor, create/edit a “QR Redirect” and set the following fields: “URL to Redirect to”: https://example.com/#" style=“animation-name:rotation” onanimationend="alert(/XSS-URL/)// “Admin Notes”: The XSS will be triggered when any user access the QR Redirect (for example an admin reviewing it)
Related
wpexploit
wpexploit
QR Redirector < 1.6.1 - Contributor+ Stored Cross-Site Scripting
2021-10-18 00:00:00
prion
prion
Cross site scripting
2021-11-17 11:15:00
patchstack
patchstack
cvelist
cvelist
cve
cve
CVE-2021-24854
2021-11-17 11:15:08
cnvd
cnvd
WordPress QR Redirector plugin cross-site scripting vulnerability
2021-11-21 00:00:00
nvd
nvd
CVE-2021-24854
2021-11-17 11:15:08