The simple sort&search WordPress plugin through 0.0.3 does not make sure that the indexurl parameter of the shortcodes "category_sims", "order_sims", "orderby_sims", "period_sims", and "tag_sims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/2ce8c786-ba82-427c-b5e7-e3b300a24c5f/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2024-01-16T15:49:30.825Z
Updated: 2024-01-16T15:49:30.825Z
Reserved: 2021-01-14T15:03:46.692Z
Link: CVE-2021-24433
JSON object: View
NVD Information
Status : Analyzed
Published: 2024-01-16T16:15:08.897
Modified: 2024-01-23T21:03:48.487
Link: CVE-2021-24433
JSON object: View
Redhat Information
No data.
CWE