CVE-2021-24958
Meks Easy Photo Feed Widget < 1.2.4 - Subscriber+ Settings Update to Stored XSS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them
El plugin Meks Easy Photo Feed de WordPress versiones anteriores a 1.2.4, no presenta comprobaciones de capacidad y CSRF en la acción AJAX meks_save_business_selected_account, disponible para cualquier usuario autenticado, y no escapa de algunos de los parámetros. Como resultado, cualquier usuario autenticado, como el suscriptor podría actualizar la configuración del plugin y poner cargas útiles de tipo Cross-Site Scripting en ellos
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-14 CVE Reserved
- 2021-11-10 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://wpscan.com/vulnerability/011c2519-fd84-4c95-b8b8-23654af59d70 | 2024-08-03 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mekshq Search vendor "Mekshq" | Meks Easy Photo Feed Widget Search vendor "Mekshq" for product "Meks Easy Photo Feed Widget" | < 1.2.4 Search vendor "Mekshq" for product "Meks Easy Photo Feed Widget" and version " < 1.2.4" | wordpress |
Affected
|