exploitDog

CVE-2021-24685

Опубликовано: 01 нояб. 2021

Источник: nvd

CVSS3: 5.4

CVSS2: 5

EPSS Низкий

Описание

The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)

Ссылки

https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:flat_preloader_project:flat_preloader:*:*:*:*:*:wordpress:*:*

Версия до 1.5.4 (исключая)

EPSS

Процентиль: 34%

0.00137

Низкий

5.4 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-3mcq-mff7-29h7

CVSS3: 5.4

github

больше 3 лет назад

The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)

EPSS

Процентиль: 34%

0.00137

Низкий

5.4 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-79

CWE-79