The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed)
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/e247d78a-7243-486c-a017-7471a8dcb800 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2022-03-07T08:16:06
Updated: 2022-03-07T08:16:06
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24826
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-03-07T09:15:08.260
Modified: 2022-03-11T19:21:57.080
Link: CVE-2021-24826
JSON object: View
Redhat Information
No data.
CWE