Lucene search
TymWPVDB-ID:9D48313B-76D7-4252-9B81-2FDD0373561BHistorySep 20, 2021 - 12:00 a.m.
Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
2021-09-2000:00:00
tym
wpscan.com
7
0.001 Low
EPSS
Percentile
21.8%
The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks.
PoC
Put the following payload in the QR setting: "> The XSS will be triggered in the plugin’s setting page, as well as all frontend posts. via CSRF:
| CPE | Name | Operator | Version |
|---|---|---|---|
| wechat-reward | eq | * |
Related
prion
prion
Cross site scripting
2021-10-18 14:15:00
cve
cve
CVE-2021-24615
2021-10-18 14:15:09
patchstack
patchstack
cnvd
cnvd
WordPress Wechat Reward plugin cross-site request forgery vulnerability
2021-10-24 00:00:00
cvelist
cvelist
CVE-2021-24615 Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
2021-10-18 13:45:47
nvd
nvd
CVE-2021-24615
2021-10-18 14:15:09
wpexploit
wpexploit
Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
2021-09-20 00:00:00