Vulnerability Details : CVE-2021-24126
Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation.
Vulnerability category: Cross site scripting (XSS)Gain privilege
Products affected by CVE-2021-24126
- cpe:2.3:a:enviragallery:envira_gallery:*:*:*:*:lite:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-24126
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-24126
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2021-24126
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- contact@wpscan.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2021-24126
-
https://wpscan.com/vulnerability/f3952bd1-ac2f-4007-9e19-6c44a22465f3
Attention Required! | CloudflareExploit;Third Party Advisory
Jump to