WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode
CVE-2021-24961

5.4MEDIUM

Key Information:

Vendor

Wordpress
Status
WordPress File Upload
WordPress-file-upload-pro
Vendor
CVE Published:
7 March 2022

What is CVE-2021-24961?

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

Affected Version(s)

WordPress File Upload 4.16.3

wordpress-file-upload-pro 4.16.3

References

https://plugins.trac.wordpress.org/changeset/2677722
x_refsource_CONFIRM
https://wpscan.com/vulnerability/c911bbbd-0196-4e3d-ada3-...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

apple502j
.