VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 21, 2021· Updated Aug 3, 2024

WP Hardening < 1.2.2 - Reflected XSS via historyvalue

CVE-2021-24373

Description

The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • WordPress/WP Hardening – Fix Your WordPress Securitydescription
  • WordPress/WP Hardeningllm-fuzzy
    Range: <1.2.2

Patches

Vulnerability mechanics

Root cause

"Missing sanitization and escaping of the `historyvalue` GET parameter before outputting it in a JavaScript block."

Attack vector

An attacker crafts a URL containing a malicious payload in the `historyvalue` GET parameter. Because the plugin fails to sanitize or escape this parameter before embedding it into a JavaScript block, the payload executes in the victim's browser when they visit the crafted URL [ref_id=1]. This is a reflected Cross-Site Scripting (XSS) attack [CWE-79], requiring the attacker to trick the victim into clicking the malicious link.

Affected code

The plugin's handling of the `historyvalue` GET parameter is at fault. The advisory states the plugin "did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block" [ref_id=1]. No specific file or function names are provided in the advisory.

What the fix does

The advisory indicates the vulnerability is fixed in version 1.2.2 of the WP Hardening plugin [ref_id=1]. No patch diff is provided in the bundle. The fix would involve properly sanitizing and escaping the `historyvalue` GET parameter before outputting it into a JavaScript block, preventing arbitrary script injection.

Preconditions

  • inputThe attacker must trick a victim into visiting a crafted URL containing a malicious `historyvalue` parameter
  • configThe WP Hardening plugin version must be earlier than 1.2.2

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.