← volver
CVE-2021-24618

Donate With QRCode < 1.4.5 - Stored Cross-Site Scripting

EPSS 0.4%CWE-352CWE-79
Vexday Risk Score
3Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
20 sep 2021Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →