CVE-2021-24443
Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
02 Aug 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.
Affected products
Unknown · Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPressWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →