exploitDog

CVE-2021-24581

Опубликовано: 30 авг. 2021

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.

Ссылки

https://wpscan.com/vulnerability/75abd073-b45f-4fe6-8501-7a6d0163f78d
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/75abd073-b45f-4fe6-8501-7a6d0163f78d
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:blue-admin_project:blue-admin:*:*:*:*:*:wordpress:*:*

Версия до 21.06.01 (включая)

EPSS

Процентиль: 88%

0.0368

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-mqfw-gg2g-9qc5

CVSS3: 8.8

github

больше 3 лет назад

The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.

EPSS

Процентиль: 88%

0.0368

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-79

CWE-79