The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/b8e6f0d3-a7d1-4ca8-aba8-0d5075167d55 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2022-02-28T09:06:23
Updated: 2022-02-28T09:06:22
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24933
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-02-28T09:15:08.243
Modified: 2022-03-08T17:13:30.350
Link: CVE-2021-24933
JSON object: View
Redhat Information
No data.
CWE