CVE-2021-24496

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.2%

top 59.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Community Events Community Events Project Community Events

Timeline

PublishedAug 2

Latest updateMay 24

Description

The Community Events WordPress plugin before 1.4.8 does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/community_events1.4.8 — 1.4.8

▶NVDcommunity_events_project/community_events< 1.4.8

🔴Vulnerability Details

GHSA

GHSA-9g3p-ghhv-vpv9: The Community Events WordPress plugin before 1↗2022-05-24

▶

CVEList

Community Event < 1.4.8 - Reflected Cross-Site Scripting (XSS)↗2021-08-02

▶