CVE-2021-24697 — Cross-site Scripting in Simple Download Monitor

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 56.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tipsandtricks-hq Simple Download Monitor

Timeline

PublishedNov 8

Latest updateMay 24

Description

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDtipsandtricks-hq/simple_download_monitor< 3.9.5

🔴Vulnerability Details

GHSA

GHSA-2pc3-m7w9-6vv5: The Simple Download Monitor WordPress plugin before 3↗2022-05-24

▶

CVEList

Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting↗2021-11-08

▶