Admin Columns Free (< 4.3.2) & Pro (< 5.5.2) - Authenticated Stored Cross-Site Scripting (XSS) in Custom Field
CVE-2021-24365

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Admin Columns; Admin Columns Pro
Vendor: CVE Published:; 12 July 2021

What is CVE-2021-24365?

The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns.

Affected Version(s)

Admin Columns 4.3.2

Admin Columns Pro 5.5.2

References

https://wpscan.com/vulnerability/fdbeb137-b404-46c7-85fb-...

x_refsource_CONFIRM

https://www.syss.de/fileadmin/dokumente/Publikationen/Adv...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

Johannes Lauinger

SySS GmbH