Three WordPress Plugins Carry Stored XSS Flaws (CVE-2021-47926-929)

Executive Summary

Three WordPress plugins — Filterable Portfolio Gallery 1.0, WP Symposium Pro 2021.10, and Contact Form to Email 1.3.24 — each carry a stored cross-site scripting (XSS) vulnerability rated CVSS 6.4 (medium severity), according to National Vulnerability Database (NVD) entries published in recent days. The flaws, tracked as CVE-2021-47929, CVE-2021-47927, and CVE-2021-47926 respectively, allow authenticated attackers to inject persistent JavaScript payloads through unsanitized input fields. When other users — including administrators — view the affected pages, the injected scripts execute in their browsers, enabling session hijacking, credential theft, or further privilege escalation within the WordPress admin panel.

Technical Analysis

All three vulnerabilities share a common root cause: insufficient sanitization of user-supplied input before storage and subsequent rendering in the browser. The flaws are classified as stored XSS (CAPEC-592, CWE-79) because the payload is permanently saved on the server and served to every visitor of the affected page.

CVE-2021-47929 — Filterable Portfolio Gallery 1.0

According to the NVD entry, the Filterable Portfolio Gallery plugin version 1.0 fails to sanitize the title field when users create or edit gallery items. An authenticated attacker with at least contributor-level access can inject JavaScript payloads — such as <img src=x onerror=alert(1)> — into the title parameter. When any user, including site administrators, previews or views the gallery, the stored script executes. The plugin is distributed via the vendor site at filterable-portfolio.com.

CVE-2021-47927 — WP Symposium Pro 2021.10

The WP Symposium Pro plugin, a social-networking extension for WordPress, contains a stored XSS vulnerability in its forum functionality. The NVD reports that the wps_admin_forum_add_name parameter on the admin setup page is not properly sanitized. An authenticated attacker can submit a POST request with JavaScript code in the forum name field. The payload is stored and rendered whenever the forum listing page is loaded, affecting all users who browse forums. The plugin is available at wpsymposiumpro.com.

CVE-2021-47926 — Contact Form to Email 1.3.24

The Contact Form to Email plugin (version 1.3.24), developed by dwbooster.com, allows authenticated users to create and manage forms. The NVD entry indicates that the form name field lacks output encoding. An attacker can craft a form name containing <script> tags or event handlers. When other logged-in users access the form management page in the WordPress admin dashboard, the malicious script executes. This is particularly dangerous because the admin dashboard context exposes sensitive actions and cookies.

All three CVEs carry a CVSS v3.1 base score of 6.4, with the vector string indicating network attack vector, low attack complexity, low privileges required, and changed scope. The scope change reflects that the injected script executes in the context of the victim's session, which may have different permissions than the attacker's session.

Mitigations & Recommendations

Site administrators should immediately identify whether any of the three plugins are installed and, if so, check for available updates from the respective vendors. As of this writing, the NVD entries do not specify patched versions. Defenders should consider disabling or removing the plugins until the vendors release security updates that properly sanitize the identified input fields. For WordPress sites running WP Symposium Pro, administrators can temporarily restrict access to the forum setup page to only highly trusted users. For Filterable Portfolio Gallery and Contact Form to Email, the same principle applies: limit the ability to create or edit items and forms to accounts that require it for legitimate business purposes. Web application firewalls (WAFs) with XSS signature detection may block some payloads but are not a substitute for input sanitization at the application layer.