← voltar
CVE-2021-24988

WP RSS Aggregator < 4.19.3 - Subscriber+ Stored Cross-Site Scripting

EPSS 0.3%CWE-79
Vexday Risk Score
3Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
27 dez 2021Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.