SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2021-33850
    ▲ MediumCVSS 5.4✓ PatchedEPSS 0.00597%

    Stored Cross-Site Scripting in WordPress Microsoft Clarity Plugin

    There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page.

    CVE IDCVE-2021-33850
    CVSS v3.15.4 Medium
    VendorMicrosoft
    CWECWE-79
    DisclosedOct 18, 2021
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    A Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3 can cause arbitrary code to run in a user’s browser while the browser is connected to a trusted website. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3 stored on the configuring project ID page.

    Vendor
    Microsoft
    Affected Product
    Microsoft Clarity version 0.3
    CVE
    CVE-2021-33850
    Securin ID
    2020-CSW-10-1050
    Status
    Fixed
    Date
    October 18, 2021
    Severity
    Medium
    CVSS Score
    5.4
    Vector
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    CWE
    CWE-79
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    5.4CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    ScopeChanged
    ImpactC:L / I:L / A:N
    SeverityMedium

    The following vulnerability was detected in WordPress Microsoft Clarity Plugin version 0.3.

    PoC · Exploitation Steps▲ trigger
    01Figure 1: Microsoft Clarity Plugin Installation02Figure 2: Microsoft Clarity Settings Page03Figure 3: Entering Encoded Xss Payload in the Project ID section04Figure 4: Injected XSS Payload Executed and Displays an Alert Box
    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    An attacker can control a script executed in the victim’s browser and fully compromise the targeted user. In addition, an XSS vulnerability enables attacks that are contained within the application itself. There is no need to find an external way of inducing the victim to make a request containing their exploit. Instead, the attacker places the exploit inside the application itself and simply waits for users to encounter it, thus, resulting in the following:

    Medium

    Stealing cookies,

    Medium

    End-user files disclosure,

    High

    Installation of Trojan horse programs,

    High

    Redirection of the user to some other page or site.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    01

    Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using the encoding library.

    N/A
    02

    Implement input validation for special characters on all the variables reflected in the browser and stored in the database.

    N/A
    03

    Implement client-side validation.

    N/A

    Figure 5: Cross-Site Scripting Mitigation Setting in the wp.config File Prevents Cross-site Scripting Attacks

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33850, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    17 October 2021

    Discovered in Microsoft Clarity version 0.3

    20 October 2021

    Reported to WordPress Team.

    20 October 2021

    WordPress acknowledged.

    25 October 2021

    Microsoft Clarity Plugin fixed the issue.

    07 November 2021

    CSW Assigned the CVE Identifier [CVE-2021-33850]

    Timeline recorded · Disclosure coordinated by Securin

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2021-33850

    nvd.nist.gov/vuln/detail/CVE-2021-33850 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum