CVE-2021-24176

JH 404 Logger <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

EPSS 2.0%CWE-79

Vexday Risk Score

18Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 2.0%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

05 Apr 2021Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.

Affected products

Unknown · JH 404 Logger

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://ganofins.com/blog/my-first-cve-2021-24176/https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585