CVE-2021-24961

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 48.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Wordpress-file-upload-pro Unknown Wordpress File Upload Iptanus Wordpress File Upload +1 more

Timeline

PublishedMar 7

Latest updateMar 8

Description

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5unknown/wordpress_file_upload4.16.3 — 4.16.3

▶NVDiptanus/wordpress_file_upload< 4.16.3

▶CVEListV5unknown/wordpress-file-upload-pro4.16.3 — 4.16.3

▶NVDiptanus/wordpress_file_upload_pro< 4.16.3

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-v8xx-gxhg-qqpr: The WordPress File Upload WordPress plugin before 4↗2022-03-08

▶

CVEList

WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode↗2022-03-07

▶