Lucene search
Apple502jWPVDB-ID:E8550CCD-3898-4E27-ACA9-ADE89823FF4DHistorySep 28, 2021 - 12:00 a.m.
Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting
2021-09-2800:00:00
apple502j
wpscan.com
6
0.001 Low
EPSS
Percentile
24.8%
The plugin does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PoC
Put the following payload in the “Alt text” setting of the plugin, then view any page in the frontend to trigger it: " onload=alert(/XSS/)//
| CPE | Name | Operator | Version |
|---|---|---|---|
| flat-preloader | lt | 1.5.5 |
Related
cve
cve
CVE-2021-24789
2021-11-01 09:15:09
cvelist
cvelist
CVE-2021-24789 Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting
2021-11-01 08:46:23
nvd
nvd
CVE-2021-24789
2021-11-01 09:15:09
cnvd
cnvd
WordPress Flat Preloader plugin cross-site scripting vulnerability
2021-11-04 00:00:00
patchstack
patchstack
prion
prion
Cross site scripting
2021-11-01 09:15:00
wpexploit
wpexploit
Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting
2021-09-28 00:00:00