CVE-2021-24694

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 60.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Simple Download Monitor Tipsandtricks-hq Simple Download Monitor

Timeline

PublishedJan 24

Latest updateJan 25

Description

The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/simple_download_monitor3.9.11 — 3.9.11

▶NVDtipsandtricks-hq/simple_download_monitor< 3.9.11

🔴Vulnerability Details

GHSA

GHSA-6hx8-38qq-7423: The Simple Download Monitor WordPress plugin before 3↗2022-01-25

▶

CVEList

Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes↗2022-01-24

▶