CVE-2021-24313

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
5.4MEDIUM
EPSS
0.3%
top 43.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown WP PrayerGoprayer WP Prayer
Timeline
PublishedJun 1
Latest updateMay 24

Description

The WP Prayer WordPress plugin before 1.6.2 provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to request prayers or praises have several fields. The 'prayer request' and 'praise request' fields do not use proper input validation and can be used to store XSS payloads.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/wp_prayer1.6.21.6.2
NVDgoprayer/wp_prayer< 1.6.2

🔴Vulnerability Details

2
GHSA
GHSA-77vm-hfph-f8g6: The WP Prayer WordPress plugin before 12022-05-24
CVEList
WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)2021-06-01

💥Exploits & PoCs

1
Exploit-DB
WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated)2021-06-01
CVE-2021-24313 (MEDIUM CVSS 5.4) | The WP Prayer WordPress plugin befo | cvebase.io