cbcvebase.
CVE-2021-24286
published 2021-05-14

CVE-2021-24286: The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to…

PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
13.94%
96.1th percentile
The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue

Affected

2 ranges
VendorProductVersion rangeFixed in
moove_agencyredirect_404_to_parent>= 1.3.1 < 1.3.11.3.1
mooveagencyredirect_404_to_parent< 1.3.11.3.1

Detection & IOCsextracted from sources · hover to see the quote

urlwp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
url/wp-admin/options-general.php?page=moove-redirect-settings&tab=%22+style%3Danimation-name%3Arotation+onanimationstart%3D%22alert%28document.domain%29%3B
path/wp-admin/options-general.php
  • Look for reflected XSS payload in the `tab` parameter of the moove-redirect-settings admin page; the unsanitised value is echoed back in the HTTP response body.
  • Detect requests to options-general.php with page=moove-redirect-settings and a tab parameter containing HTML/JS injection characters (e.g. quote, style=, onanimationstart=).
  • In HTTP response body, presence of both the unencoded XSS payload string and the string 'Moove redirect 404' confirms successful reflection and vulnerable plugin version.
  • Attack requires an authenticated session (admin login via /wp-login.php) before triggering the XSS on the settings page.
  • ·The XSS is reflected (not stored), so exploitation requires tricking an authenticated admin into clicking a crafted link; it is not exploitable without user interaction.
  • ·Vulnerability is fixed in plugin version 1.3.1; instances running 1.3.0 or earlier are affected.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.