Vulnerability Details : CVE-2021-24545
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.
Vulnerability category: Cross site scripting (XSS)Gain privilege
Products affected by CVE-2021-24545
- Wp Html Author Bio Project » Wp Html Author Bio » For WordpressVersions up to, including, (<=) 1.2.0cpe:2.3:a:wp_html_author_bio_project:wp_html_author_bio:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-24545
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 23 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-24545
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2021-24545
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: contact@wpscan.com (Primary)
References for CVE-2021-24545
-
https://wpscan.com/vulnerability/64267134-9d8c-4e0c-b24f-d18692a5775e
Attention Required! | CloudflareExploit;Third Party Advisory
Jump to