exploitDog

CVE-2021-24618

Опубликовано: 20 сент. 2021

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.

Ссылки

https://wpscan.com/vulnerability/d50b801a-16b5-45e9-a465-e3bb0445cb49
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/d50b801a-16b5-45e9-a465-e3bb0445cb49
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wbolt:donate_with_qrcode:*:*:*:*:*:wordpress:*:*

Версия до 1.4.5 (исключая)

EPSS

Процентиль: 42%

0.00198

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-3g5v-m9jm-mw8w

CVSS3: 5.4

github

больше 3 лет назад

The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.

EPSS

Процентиль: 42%

0.00198

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

CWE-79