CVE-2021-24826
Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
07 Mar 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed)
Affected products
Unknown · Custom Content Shortcode