CVE-2021-24969
Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Scripting
Vexday Risk Score
3Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS —EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
27 dic 2021Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The WordPress Download Manager WordPress plugin before 3.2.22 does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any authenticated users such as subscriber is able to call it and perform Cross-Site Scripting attacks
Productos afectados
Unknown · WordPress Download Manager¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →