An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages.
References
Link | Resource |
---|---|
https://codecanyon.net/item/visual-composer-clipboard/8897711 | Product Third Party Advisory |
https://wpscan.com/vulnerability/3bc0733a-b949-40c9-a5fb-f56814fc4af3 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2021-05-05T18:39:42
Updated: 2021-05-05T18:39:42
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24243
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-05-06T13:15:11.463
Modified: 2021-05-13T17:40:44.207
Link: CVE-2021-24243
JSON object: View
Redhat Information
No data.
CWE