MEDIUM 6.4

CVE-2021-47984: WP24 Domain Check XSS Vulnerability – WordPress Plugin Risk Analysis

The WP24 Domain Check WordPress plugin version 1.6.2 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with plugin access to inject malicious JavaScript code. When an admin later views the plugin's settings page, that injected code executes in their browser, potentially allowing the attacker to perform unauthorized actions on their behalf or steal sensitive information. This is a persistence threat—once injected, the malicious script remains in the plugin settings until manually removed.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2021-47984 is a stored XSS vulnerability in WP24 Domain Check 1.6.2 stemming from improper input validation on the fieldnameDomain parameter in the plugin's settings form (options.php). The plugin fails to sanitize or escape user-supplied input before storing it in the database and before rendering it in the admin interface. An authenticated attacker can craft a malicious payload containing JavaScript and submit it through the plugin configuration. When any administrator accesses the settings page, the unsanitized payload executes in their browser context with their privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network accessibility, low attack complexity, requirement for valid WordPress authentication, cross-site scope impact, and partial confidentiality and integrity compromise without availability impact.

Business impact

Compromise of WordPress administrator accounts through malicious script execution poses significant operational risk. An attacker can pivot from plugin settings to broader WordPress exploitation—modifying site content, exfiltrating sensitive data, injecting backdoors into the main WordPress installation, or using the compromised site as a vector for further attacks on visitors or the organization. For businesses relying on WordPress for customer-facing content or data collection, this translates to potential data breach, brand damage, service disruption, and regulatory liability depending on the jurisdiction and data handled.

Affected systems

WordPress installations running WP24 Domain Check plugin version 1.6.2 are vulnerable. Organisations should verify whether this plugin is active on any WordPress sites in their environment. The vulnerability requires authentication to trigger, so the attack surface is limited to users with WordPress account access (contributors, editors, administrators, or custom roles with plugin settings permissions). Plugin versions prior to 1.6.2 may or may not be affected; consult the vendor's advisory to determine the affected version range and any patched versions.

Exploitability

Exploitability is moderate. The attack requires a valid WordPress user account, which limits the attacker pool but is not a high barrier in shared hosting environments, when credentials are compromised, or for insider threats. Once authenticated, no special user interaction is required—the attacker simply submits the payload, and it automatically executes when any admin views the settings page. No special tools or complex techniques are necessary. However, the attacker must retain some knowledge of WordPress plugin administration and basic JavaScript payload construction. The vulnerability has not been marked as actively exploited in the wild according to CISA's Known Exploited Vulnerabilities catalog.

Remediation

Immediately deactivate and remove WP24 Domain Check 1.6.2 from all affected WordPress installations if the plugin is not critical to business operations. Verify with the vendor whether a patched version is available; if so, update to the latest version after testing in a staging environment. If the plugin must remain in use and no patch is available, restrict plugin settings access to a minimal set of trusted administrators and implement strong access controls. Additionally, audit WordPress user accounts and remove any suspicious or inactive accounts. Review recent plugin settings changes in WordPress audit logs and the plugin's stored configuration for signs of tampering. Consider using a WordPress security scanner or Web Application Firewall (WAF) to detect and block stored XSS payloads.

Patch guidance

Check the official WordPress plugin repository or the vendor's website for an updated version of WP24 Domain Check that addresses this vulnerability. The vulnerability is confirmed in version 1.6.2; patch availability and version numbers should be verified directly from the vendor. After updating, perform a full site integrity check and audit administrator activity logs to confirm no malicious code was injected prior to patching. If you are using a managed WordPress hosting provider, confirm whether they have auto-update capabilities enabled for plugins, which may have already deployed the patch.

Detection guidance

Monitor WordPress admin access logs for unusual login patterns or access to plugin settings by unexpected users. Use WordPress security plugins or WAF rules to detect and log attempts to submit suspicious input (JavaScript tags, event handlers, encoded payloads) to the options.php endpoint. Audit the wp_options table in WordPress database for the plugin's settings fields (containing fieldnameDomain parameter) and inspect them for script tags, iframe references, or other indicators of injection. Review WordPress REST API logs if the plugin exposes settings via API endpoints. Threat hunters can also search for common XSS payload signatures in stored plugin configurations.

Why prioritize this

This vulnerability merits prompt but not emergency-level response. The CVSS score of 6.4 (MEDIUM) reflects meaningful but not critical impact; no availability disruption occurs, and the attack requires prior authentication. However, the stored nature of the XSS means that once injected, the threat persists and affects multiple admin users automatically. The risk is amplified in multi-user WordPress environments and organizations where WordPress admin accounts are shared or have weak access controls. Prioritize deactivation or patching of this plugin above non-critical vulnerabilities, but coordinate with other CRITICAL or HIGH-severity updates in your patch cycle.

Risk score, explained

The CVSS 3.1 score of 6.4 reflects a MEDIUM-severity vulnerability: network-accessible, low complexity attack, authenticated (not unauthenticated) initiation, limited to users with WordPress access, cross-site scope impact affecting multiple sessions and parties, and partial compromise of confidentiality and integrity without system availability impact. The score does not include exploit prevalence or active weaponization; the lack of KEV listing indicates this is not yet widely exploited. However, the stored nature of the injection elevates practical risk beyond the numeric score—persistence, multi-user impact, and potential for lateral movement into core WordPress should inform your risk assessment.

Frequently asked questions

Does this vulnerability allow remote code execution or only JavaScript injection?

This is strictly a stored XSS vulnerability—it allows JavaScript execution in browser context only, not remote code execution on the server. An attacker cannot directly execute arbitrary PHP or system commands. However, JavaScript can be leveraged to perform administrative actions (content modification, plugin installation, user management) if it exploits trust in the admin session, so the practical impact is still severe.

Can users without plugin settings access be affected?

No. The vulnerability exists in the plugin settings form (options.php), which is restricted to WordPress administrators. However, once an attacker injects the payload, it executes for any administrator who views the settings page, potentially including users not involved in plugin management. Ensure only essential admins have plugin-level access.

Is there a temporary mitigation if a patch is not yet available?

Yes: restrict access to plugin settings to a small trusted group of admins, enforce strong passwords and multi-factor authentication on those accounts, and consider disabling the plugin entirely if it is not essential. Additionally, use a WAF or security plugin to monitor and block suspicious input to options.php.

How should I verify my WordPress installation for signs of this exploitation?

Query your wp_options table for the plugin's stored settings and inspect the fieldnameDomain field for unusual content such as script tags or event handlers. Check WordPress audit logs or security plugin activity for unexpected changes to plugin settings. Review administrator login records for unfamiliar IPs or times. A WordPress security scanner can also flag suspicious stored content.

This analysis is provided for informational purposes to support vulnerability risk assessment and remediation planning. Specific patch versions, availability dates, and vendor advisory details should be verified directly with the plugin vendor or WordPress repository before patching. Organizations should test patches in a staging environment before production deployment. This content does not constitute legal advice. Consult with your security and legal teams regarding compliance obligations specific to your industry or jurisdiction. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).