VYPR
← All advisories
Medium severity6.4NVD Advisory· Published Jun 8, 2026

CVE-2021-47984

CVE-2021-47984

Description

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The plugin fails to sanitize user input in the 'fieldnameDomain' parameter, allowing for script injection."

Attack vector

An authenticated attacker can submit a crafted POST request to `options.php` targeting the `wp24_domaincheck[fieldnameDomain]` parameter [ref_id=1]. This parameter is used within the plugin's settings form. By injecting JavaScript payloads, such as `111" onfocus=alert(document.cookie); on=` [ref_id=1], the attacker can execute arbitrary scripts in the browser of administrators who view the plugin's settings page.

Affected code

The vulnerability resides in the `wp24-domain-check` plugin, specifically within the `includes/class-wp24-settings.php` file. The `add_settings_field` function is used to register the 'fieldnameDomain' field, which is identified as vulnerable due to improper handling of the 'name' attribute [ref_id=1].

What the fix does

The provided bundle does not contain information about a patch or specific remediation steps. Therefore, the advisory does not specify how the vulnerability is fixed. Users are advised to consult the vendor for the latest security updates.

Preconditions

  • authThe attacker must be authenticated to the WordPress instance.
  • inputThe attacker must submit a crafted POST request with a malicious payload in the 'fieldnameDomain' parameter.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.