CVE-2021-24287
published 2021-05-14CVE-2021-24287: The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab…
PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
10.36%
95.1th percentile
The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mooveagency | select_all_categories_and_taxonomies_change_checkbox_to_radio_buttons | < 1.3.2 | 1.3.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)
exploitdb·2021-09-29·CVSS 6.1
CVE-2021-24287 [MEDIUM] WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)
WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)
---
# Exploit Title: WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)
# Date: 2/15/2021
# Author: 0xB9
# Software Link: https://downloads.wordpress.org/plugin/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons.1.3.1.zip
# Version: 1.3.1
# Tested on: Windows 10
# CVE: CVE-2021-24287
1. Description:
The tab parameter in the Admin Panel is vulnerable to XSS.
2. Proof of Concept:
wp-admin/options-general.php?page=moove-taxonomy-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
Nuclei
WordPress Select All Categories and Taxonomies <1.3.2 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-24287 [MEDIUM] WordPress Select All Categories and Taxonomies <1.3.2 - Cross-Site Scripting
WordPress Select All Categories and Taxonomies <1.3.2 - Cross-Site Scripting
WordPress Select All Categories and Taxonomies plugin before 1.3.2 contains a cross-site scripting vulnerability. The settings page of the plugin does not properly sanitize the tab parameter before outputting it back. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Template:
id: CVE-2021-24287
info:
name: WordPress Select All Categories and Taxonomies <1.3.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
WordPress Select All Categories and Taxonomies plugin before 1.3.2 contains a cross-site scripting vulnerability. Th
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164327/WordPress-Select-All-Categories-And-Taxonomies-1.3.1-Cross-Site-Scripting.htmlhttps://wpscan.com/vulnerability/56e1bb56-bfc5-40dd-b2d0-edef43d89bdfhttp://packetstormsecurity.com/files/164327/WordPress-Select-All-Categories-And-Taxonomies-1.3.1-Cross-Site-Scripting.htmlhttps://wpscan.com/vulnerability/56e1bb56-bfc5-40dd-b2d0-edef43d89bdf
2021-05-14
Published