CVE-2021-24826

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 60.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Custom Content Shortcode Custom Content Shortcode Project Custom Content Shortcode

Timeline

PublishedMar 7

Latest updateMar 8

Description

The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/custom_content_shortcode4.0.2 — 4.0.2

▶NVDcustom_content_shortcode_project/custom_content_shortcode< 4.0.2

🔴Vulnerability Details

GHSA

GHSA-h77p-7f34-7fqv: The Custom Content Shortcode WordPress plugin before 4↗2022-03-08

▶

CVEList

Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting↗2022-03-07

▶