CVE-2021-24448

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

4.8MEDIUM

EPSS

0.4%

top 38.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown User Registration & User Profile – Profile Builder Cozmoslabs Profile Builder

Timeline

PublishedAug 2

Latest updateMay 24

Description

The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/user_registration_&_user_profile_–_profile_builder3.4.8 — 3.4.8

▶NVDcozmoslabs/profile_builder< 3.4.8

🔴Vulnerability Details

GHSA

GHSA-8j23-c7w9-jxvg: The User Registration & User Profile â€“ Profile Builder WordPress plugin before 3↗2022-05-24

▶

CVEList

Profile Builder < 3.4.8 - Authenticated Stored XSS↗2021-08-02

▶