CVE-2021-24241

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.6%
top 29.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Advanced Custom Fields PROAdvancedcustomfields Advanced Custom Fields
Timeline
PublishedApr 22
Latest updateMay 24

Description

The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/advanced_custom_fields_pro5.9.15.9.1

🔴Vulnerability Details

2
GHSA
GHSA-qrc3-2vgc-v73w: The Advanced Custom Fields Pro WordPress plugin before 52022-05-24
CVEList
Advanced Custom Field Pro < 5.9.1 - Reflected Cross-Site Scripting (XSS)2021-04-22
CVE-2021-24241 (MEDIUM CVSS 6.1) | The Advanced Custom Fields Pro Word | cvebase.io