W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)
CVE-2021-24436

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: W3 Total Cache
Vendor: CVE Published:; 19 July 2021

Summary

The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.

Affected Version(s)

W3 Total Cache 2.1.4

References

https://wpscan.com/vulnerability/05988ebb-7378-4a3a-9d2d-...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 19, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

renniepak