CVE-2021-24979

Опубликовано: 27 дек. 2021

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

Ссылки

https://plugins.trac.wordpress.org/changeset/2632369/paid-memberships-pro/tags/2.6.6/adminpages/discountcodes.php
Patch
Third Party Advisory
https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79
Exploit
Patch
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2632369/paid-memberships-pro/tags/2.6.6/adminpages/discountcodes.php
Patch
Third Party Advisory
https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:*

Версия до 2.6.6 (исключая)

EPSS

Процентиль: 86%

0.0269

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-33mq-pfqq-c55m

github

около 4 лет назад