
We found results for “”
CVE-2021-24988
Good to know:

Date: December 27, 2021
The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.
Language: PHP
Severity Score
Severity Score
Weakness Type (CWE)
Top Fix

Upgrade Version
Upgrade to version wprss/core - 4.19.3;wprss/core - dev-dependabot/npm_and_yarn/node-sass-7.0.0;wprss/core - dev-dependabot/npm_and_yarn/decode-uri-component-0.2.2;wprss/core - dev-dependabot/npm_and_yarn/minimist-1.2.6;wprss/core - no_fix;wprss/core - dev-dependabot/npm_and_yarn/express-4.18.2
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | REQUIRED |
Scope (S): | CHANGED |
Confidentiality (C): | LOW |
Integrity (I): | LOW |
Availability (A): | NONE |
CVSS v2
Base Score: |
|
---|---|
Access Vector (AV): | NETWORK |
Access Complexity (AC): | MEDIUM |
Authentication (AU): | SINGLE |
Confidentiality (C): | NONE |
Integrity (I): | PARTIAL |
Availability (A): | NONE |
Additional information: |