6.1
CVE-2021-24436
- EPSS 5.84%
- Veröffentlicht 19.07.2021 11:15:08
- Zuletzt bearbeitet 21.11.2024 05:53:04
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginW3 Total Cache <= 2.1.3 - Reflected Cross-Site Scripting via extension
The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
Mögliche Gegenmaßnahme
W3 Total Cache: Update to version 2.1.4, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
W3 Total Cache
Version
[*, 2.1.4)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Boldgrid ≫ W3 Total Cache SwPlatformwordpress Version < 2.1.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 5.84% | 0.902 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.