// For flags

CVE-2021-24157

Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be malicious.

Orbit Fox de ThemeIsle, presenta una funcionalidad para añadir scripts personalizados en el encabezado y el pie de página de una página o publicación. No había comprobaciones para verificar que un usuario tenía la capacidad unfiltered_html antes de guardar las etiquetas de los scripts, lo que permitía a usuarios de nivel inferior inyectar scripts que podían ser potencialmente maliciosos

Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be malicious in versions up to, and including 2.10.2.

*Credits: Chloe Chamberland
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-12 CVE Published
  • 2021-01-14 CVE Reserved
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Themeisle
Search vendor "Themeisle"
 Orbit Fox
Search vendor "Themeisle" for product "Orbit Fox"
 < 2.10.3
Search vendor "Themeisle" for product "Orbit Fox" and version " < 2.10.3"
wordpress
Affected