Lucene search
Jeremie AmsellemWPEX-ID:F426360E-5BA0-4D6B-BFD4-61BC54BE3469HistoryDec 21, 2021 - 12:00 a.m.
Backup and Staging by WP Time Capsule < 1.22.7 - Reflected Cross-Site Scripting
2021-12-2100:00:00
Jeremie Amsellem
62
cross-site scripting
admin panel
server requirements
uri
javascript
cloud authentication
EPSS
0.001
Percentile
31.7%
The plugin does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
Once the "Server Requirements" are passed in the initial setup process (you can bypass the check for localhosts by editing the is_localhost function in the same file for testing purpose) the vulnerability can be triggered at any time in an admin's panel using an URI with JavaScript content inserted in the error parameter such as :
https://example.com/wp-admin/admin.php?page=wp-time-capsule&error="><script>alert(/XSS/)</script>&cloud_auth_action=g_drive
Related
patchstack
patchstack
cnvd
cnvd
nvd
nvd
CVE-2021-25035
2022-01-24 08:15:09
prion
prion
Cross site scripting
2022-01-24 08:15:00
wpvulndb
wpvulndb
cvelist
cvelist
cve
cve
CVE-2021-25035
2022-01-24 08:15:09