CVE-2021-24618
CVSS V2 Low 3.5
CVSS V3 Medium 5.4
Description
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.
Overview
- CVE ID
- CVE-2021-24618
- Assigner
- contact@wpscan.com
- Vulnerability Status
- Analyzed
- Published Version
- 2021-09-20T10:15:09
- Last Modified Date
- 2022-12-20T22:07:44
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:wbolt:donate_with_qrcode:*:*:*:*:*:wordpress:*:* | 1 | OR | 1.4.5 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:S/C:N/I:P/A:N
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- SINGLE
- Confidentiality Impact
- NONE
- Integrity Impact
- PARTIAL
- Availability Impact
- NONE
- Base Score
- 3.5
- Severity
- LOW
- Exploitability Score
- 6.8
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- REQUIRED
- Scope
- CHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 5.4
- Base Severity
- MEDIUM
- Exploitability Score
- 2.3
- Impact Score
- 2.7
References
| Reference URL | Reference Tags |
|---|---|
| https://wpscan.com/vulnerability/d50b801a-16b5-45e9-a465-e3bb0445cb49 | Exploit Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-24618 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24618 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 06:52:41 | Added to TrackCVE | |||
| 2022-12-05 10:54:00 | 2021-09-20T10:15Z | 2021-09-20T10:15:09 | CVE Published Date | updated |
| 2022-12-05 10:54:00 | 2022-07-29T10:15:11 | CVE Modified Date | updated | |
| 2022-12-05 10:54:00 | Undergoing Analysis | Vulnerability Status | updated | |
| 2022-12-21 06:59:59 | 2022-12-20T22:07:44 | CVE Modified Date | updated | |
| 2022-12-21 06:59:59 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |