CVE-2021-24934
published 2022-02-01CVE-2021-24934: The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page…
PriorityP333medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.40%
69.0th percentile
The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yellowpencil | visual_css_style_editor | < 7.5.4 | 7.5.4 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Visual CSS Style Editor < 7.5.4 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-24934 [MEDIUM] Visual CSS Style Editor < 7.5.4 - Cross-Site Scripting
Visual CSS Style Editor alert(document.domain) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains_all(body_2, "alert(document.domain)", "yellow-pencil-iframe-data")'
condition: and
# digest: 4a0a00473045022100fc24bec497ae0f1171bc56b8b7d05398b821cec3c9b7a72e6d5ccb81394bfbaf0220220db4ced79884d5c5ed3e548b0ee4306f73dcddb3f57b106b3d29f1bb80c1d8:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2022-02-01
Published