Lucene search
Muhammad DaffaWPVDB-ID:368828F9-FDD1-4A82-8658-20E0F4C4DA0CHistoryJul 19, 2021 - 12:00 a.m.
Vik Rent Car < 1.1.10 - Authenticated Stored Cross-Site Scripting (XSS)
2021-07-1900:00:00
Muhammad Daffa
wpscan.com
9
0.001 Low
EPSS
Percentile
24.8%
The plugin does not sanitise the ‘Text Next to Icon’ field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue
PoC
Add or Edit a Characteristic (/wp-admin/admin.php?option=com_vikrentcar&task;=carat)) with the following payload in the ‘Text Next to Icon’ field: Then view the Characteristics List to trigger the XSS
| CPE | Name | Operator | Version |
|---|---|---|---|
| vikrentcar | lt | 1.1.10 |
Related
cnvd
cnvd
nvd
nvd
CVE-2021-24519
2021-08-16 11:15:08
wpexploit
wpexploit
Vik Rent Car < 1.1.10 - Authenticated Stored Cross-Site Scripting (XSS)
2021-07-19 00:00:00
cve
cve
CVE-2021-24519
2021-08-16 11:15:08
cvelist
cvelist
prion
prion
Cross site scripting
2021-08-16 11:15:00