← back
CVE-2021-24618

Donate With QRCode < 1.4.5 - Stored Cross-Site Scripting

EPSS 0.4%CWE-352CWE-79
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
20 Sep 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →