Favicon by RealFaviconGenerator <= 1.3.20 - Reflected Cross-Site Scripting (XSS)
CVE-2021-24437

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Favicon By Realfavicongenerator
Vendor
CVE Published:
30 August 2021

Summary

The Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator.

Affected Version(s)

Favicon by RealFaviconGenerator 1.3.20

References

https://wpscan.com/vulnerability/ed9d26be-cc96-4274-a05b-...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

renniepak
.