exploitDog

CVE-2021-24516

Опубликовано: 18 окт. 2021

Источник: nvd

CVSS3: 4.8

CVSS2: 3.5

EPSS Низкий

Описание

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.

Ссылки

https://wpscan.com/vulnerability/88d70e35-4c22-4bc7-b1a5-24068d55257c
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/88d70e35-4c22-4bc7-b1a5-24068d55257c
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:planso:planso_forms:*:*:*:*:*:wordpress:*:*

Версия до 2.6.3 (включая)

EPSS

Процентиль: 52%

0.00287

Низкий

4.8 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-p4vw-x9cg-642w

github

больше 3 лет назад

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.

EPSS

Процентиль: 52%

0.00287

Низкий

4.8 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79