CVE-2021-39338
MyBB Cross-Poster <= 1.0 Authenticated Stored Cross-Site Scripting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
El plugin MyBB Cross-Poster de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Almacenado debido a una comprobación insuficiente y saneamiento de entradas por medio de diversos parámetros encontrados en el archivo ~/classes/MyBBXPSettings.php que permitían a atacantes con acceso de usuario administrativo inyectar scripts web arbitrarios, en versiones hasta la 1.0 incluyéndola. Esto afecta a las instalaciones multi-sitio en las que unfiltered_html está deshabilitado para los administradores, y a los sitios en los que unfiltered_html está deshabilitado
The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators and sites where unfiltered_html is disabled.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-20 CVE Reserved
- 2021-10-14 CVE Published
- 2023-05-08 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39338 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/BigTiger2020/word-press/blob/main/MyBB%20Cross-Poster.md | 2024-09-16 |
URL | Date | SRC |
---|---|---|
https://plugins.trac.wordpress.org/browser/mybb-cross-poster/trunk/classes/MyBBXPSettings.php | 2021-10-20 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mybb Cross-poster Project Search vendor "Mybb Cross-poster Project" | Mybb Cross-poster Search vendor "Mybb Cross-poster Project" for product "Mybb Cross-poster" | <= 1.0 Search vendor "Mybb Cross-poster Project" for product "Mybb Cross-poster" and version " <= 1.0" | wordpress |
Affected
|