cbcvebase.
CVE-2021-24316
published 2021-06-01

CVE-2021-24316: The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's 's' GET parameter before output it back the page, leading to…

PriorityP341medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.44%
92.9th percentile
The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's 's' GET parameter before output it back the page, leading to the Cross-SIte Scripting issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
wowthemesmediumish<= 1.0.47
wowthemesmediumish1.0.47 – 1.0.47

Detection & IOCsextracted from sources · hover to see the quote

others=[XSS payload]
  • The vulnerable parameter is the 's' GET parameter in the search feature of the Mediumish WordPress theme (through version 1.0.47). Monitor HTTP requests containing unsanitised script payloads in the 's' query string parameter.
  • ·The nuclei template uses a randomised string payload ({{randstr}}) wrapped in alert() to confirm reflected XSS; adapt the payload to your testing policy before use.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.