CVE-2021-24126
Envira Gallery Lite < 1.8.3.3 - Authenticated Stored Cross-Site Scripting
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
18 Mar 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation.
Affected products
Unknown · Envira Gallery Lite