YITH Maintenance Mode (WordPress plugin) <= 1.3.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability.
CVE-2021-36841

6.9MEDIUM

Key Information:

Vendor: Wordpress
Status: Yith Maintenance Mode (WordPress Plugin)
Vendor: CVE Published:; 27 September 2021

Summary

Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, vulnerable parameter &yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration.

Affected Version(s)

YITH Maintenance Mode (WordPress plugin) <= 1.3.7 <= 1.3.7

References

https://wordpress.org/plugins/yith-maintenance-mode/#deve...

x_refsource_CONFIRM

https://patchstack.com/database/vulnerability/yith-mainte...

x_refsource_MISC

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 27, 2021
Vulnerability Reserved
Jul 19, 2021

Credit

Original researcher - Asif Nawaz Minhas (Patchstack Red Team)