CVE-2021-24525
Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
El plugin Shortcodes Ultimate de WordPress versiones anteriores a 5.10.2, permite a usuarios con roles de Colaborador llevar a cabo un ataque de tipo XSS almacenado por medio de los atributos de los shortcodes. Nota: el plugin es inconsistente en su manejo de los atributos del shortcode; algunos escapan, la mayoría no, e incluso se presentan algunos atributos que no son seguros por diseño (como el atributo onclick de [su_button])
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-14 CVE Reserved
- 2021-08-23 CVE Published
- 2023-04-13 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://wpscan.com/vulnerability/7f5659bd-50c3-4725-95f4-cf88812acf1c | 2024-08-03 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Getshortcodes Search vendor "Getshortcodes" | Shortcodes Ultimate Search vendor "Getshortcodes" for product "Shortcodes Ultimate" | < 5.10.2 Search vendor "Getshortcodes" for product "Shortcodes Ultimate" and version " < 5.10.2" | wordpress |
Affected
|