6.1
CVE-2021-24504
- EPSS 0.76%
- Veröffentlicht 02.08.2021 11:15:11
- Zuletzt bearbeitet 21.11.2024 05:53:11
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginWP LMS <= 1.1.2 - Stored Cross-Site Scripting (XSS)
WP LMS – Best WordPress LMS Plugin <= 1.1.5 - Cross-Site Scripting
The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
Mögliche Gegenmaßnahme
WP Learn Manager: Update to version 1.1.6, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wplearnmanager ≫ Wp Learn Manager SwPlatformwordpress Version <= 1.1.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP Learn Manager
Version
*-1.1.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.76% | 0.505 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1
https://www.wordfence.com/threat-intel/vulnerabilities/id/92cdb716-8e45-41ea-8805-527d20a4bcb5