Lucene search
Ajay Sandipan ThorboleWPEX-ID:426EAFB1-0261-4E7E-8C70-75BF4C476F18HistoryJun 16, 2021 - 12:00 a.m.
Request a Quote < 2.3.4 - Authenticated Stored XSS
2021-06-1600:00:00
Ajay Sandipan Thorbole
307
admin
unfiltered html
stored xss
security exploit
payload
quote request
EPSS
0.001
Percentile
24.8%
The plugin did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table. Note: By default, admins and editors are allowed to use JavaScript in posts and page, unless the UNFILTERED_HTML capability is disallowed. However, even with this capability disallowed, the plugin did not sanitise the inputs
As an admin (and with the UNFILTERED_HTML disallowed), add a quote with the following payload in the "First Name", "Last Name", "Address", "City", and "Additional Details" fields: <script>alert(/XSS/)</script>
View the 'All Quotes" list to trigger the XSSRelated
prion
prion
Cross site scripting
2021-07-12 20:15:00
patchstack
patchstack
cvelist
cvelist
CVE-2021-24420 Request a Quote < 2.3.4 - Authenticated Stored XSS
2021-07-12 19:20:55
cve
cve
CVE-2021-24420
2021-07-12 20:15:09
nvd
nvd
CVE-2021-24420
2021-07-12 20:15:09
cnvd
cnvd
WordPress Plugin Cross-Site Scripting Vulnerability (CNVD-2021-59596)
2021-07-14 00:00:00
wpvulndb
wpvulndb
Request a Quote < 2.3.4 - Authenticated Stored XSS
2021-06-16 00:00:00