CVE-2021-25101

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

4.8MEDIUM

EPSS

0.2%

top 57.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Anti-malware Security AND Brute-force Firewall Anti-malware Security AND Brute-force Firewall Project Anti-malware Security AND Brute-force Firewall

Timeline

PublishedFeb 21

Latest updateFeb 22

Description

The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/anti-malware_security_and_brute-force_firewall4.20.94 — 4.20.94

▶NVDanti-malware_security_and_brute-force_firewall_project/anti-malware_security_and_brute-force_firewall< 4.20.94

🔴Vulnerability Details

GHSA

GHSA-9v6h-h8cq-vv39: The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4↗2022-02-22

▶

CVEList

Anti-Malware Security and Brute-Force Firewall < 4.20.94 - Admin+ Reflected Cross-Site Scripting↗2022-02-21

▶