CVE-2021-24208

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.4%

top 38.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown WP Page Builder Themeum WP Page Builder

Timeline

PublishedApr 5

Latest updateMay 24

Description

The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. It is als…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/wp_page_builder1.2.4 — 1.2.4

▶NVDthemeum/wp_page_builder< 1.2.4

Patches

Patch: www.themeum.com ↗Patch: www.themeum.com ↗

🔴Vulnerability Details

GHSA

GHSA-pf43-g47c-f3f8: The editor of the WP Page Builder WordPress plugin before 1↗2022-05-24

▶

CVEList

WP Page Builder < 1.2.4 - Multiple Stored Cross-Site scripting (XSS)↗2021-04-05

▶