CVE-2021-24351
published 2021-06-14CVE-2021-24351: The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields…
PriorityP337medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.48%
82.6th percentile
The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users)
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| posimyth | the_plus_addons_for_elementor | < 4.1.12 | 4.1.12 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress The Plus Addons for Elementor <4.1.12 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-24351 [MEDIUM] WordPress The Plus Addons for Elementor <4.1.12 - Cross-Site Scripting
WordPress The Plus Addons for Elementor alert(document.domain)"
- "the-plus-addons-for-elementor"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a00473045022100b53d8eb6894f4a0b9965bdeba6ad4a9a1d945f8a206d1c23a3d21d776572a2a1022076c61b430b7f8d1f9fd12e7377e1ecfdfd870ed3c8d68632330bcdec7d2fd0af:922c64590222798bb761d5b6d8e72950
2021-06-14
Published