Wp Plugin Project Status

Plugin Details

Plugin Name: wp-plugin : project-status
Effected Version : 1.6 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Minimum Level of Access Required : Subscriber
CVE Number : CVE-2021-24558
Identified by : Shreya Pohekar
WPScan Reference URL

Disclosure Timeline

Technical Details

The URL generated after the post creation takes in GET parameter post that is not properly sanitised, validated or escaped that leads to Cross-site scripting.

Vulnerable_code: includes/clone/duplicate-post-admin.php#L187

187:    wp_die(esc_attr(__('Copy creation failed, could not find original:', pspin_duplicate_post_I18N_DOMAIN)) . ' ' . $id);

PoC Screenshot

PoC Screenshot