CVE-2021-24382

Exploit

EPSS 0.42%
Veröffentlicht 14.06.2021 14:15:09
Zuletzt bearbeitet 21.11.2024 05:52:57
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Smart Slider 3 <= 3.5.0.8 - Authenticated Stored Cross-Site Scripting

The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed.

Mögliche Gegenmaßnahme

Smart Slider 3: Update to version 3.5.0.9, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Smart Slider 3

Version [*, 3.5.0.9)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextendweb ≫ Smart Slider SwEditionfree SwPlatformwordpress Version >= 3.0 < 3.5.0.9

Nextendweb ≫ Smart Slider SwEditionpro SwPlatformwordpress Version >= 3.0 < 3.5.0.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.612

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://smartslider.helpscoutdocs.com/article/1746-changelog

Patch

Vendor Advisory

https://wpscan.com/vulnerability/7b32a282-e51f-4ee5-b59f-5ba10e62a54d

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/6c57f27b-2441-4f16-ab4b-bfb68b7b793f

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-24382

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-24382

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-24382

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-24382