CVE-2021-24986

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 47.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Post Grid Pickplugins Post Grid

Timeline

PublishedApr 11

Latest updateApr 12

Description

The Post Grid WordPress plugin before 2.1.16 does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDpickplugins/post_grid< 2.1.16

▶CVEListV5unknown/post_grid2.1.16 — 2.1.16

🔴Vulnerability Details

GHSA

GHSA-hgmh-vm7j-q2wp: The Post Grid WordPress plugin before 2↗2022-04-12

▶

CVEList

Post Grid < 2.1.16 - Reflected Cross-Site Scripting via keyword↗2022-04-11

▶