CVE-2021-24408
Last modified
CVE-2021-24408 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.. EPSS estimates a 0.62% chance of exploitation in the next 30 days.
Description
The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Plugin-Planet | Prismatic | < 2.8 |
References
- https://wpscan.com/vulnerability/51855853-e7bd-425f-802c-824209f4f84dExploit, Third Party Advisory
- https://wpscan.com/vulnerability/51855853-e7bd-425f-802c-824209f4f84dExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24408?
How severe is CVE-2021-24408?
How do I fix CVE-2021-24408?
Are you affected by CVE-2021-24408?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST