CVE-2021-24559

Name of the Vulnerable Software and Affected Versions Qyrr WordPress plugin versions prior to 0.7

Description The issue allows for Cross-Site Scripting attacks due to the failure to escape the data-uri of the QR Code when outputting it in a src attribute. Additionally, the data uri to meta AJAX action, available to all authenticated users, is vulnerable to Stored Cross-Site Scripting, as it only has a CSRF check in place, with the nonce available to users with a role as low as Contributor. This allows any user with such role (and above) to set a malicious data-uri in arbitrary QR Code posts.

Recommendations For versions prior to 0.7, update to version 0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the data uri to meta AJAX action to higher roles until the update is applied.