PT-2021-15973 · WordPress · My Site Audit
Akash Rajendra Patil
·
Published
2021-08-16
·
Updated
2021-08-23
·
CVE-2021-24445
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
My Site Audit WordPress plugin versions 1.2.4 and earlier
Description
The issue allows high privilege users to set JavaScript payloads in the Audit Name field when creating an audit, due to a lack of sanitization or escaping, leading to an authenticated Stored Cross-Site Scripting issue. This occurs even when the unfiltered html capability is disallowed.
Recommendations
For My Site Audit WordPress plugin versions 1.2.4 and earlier, consider disabling the ability to set custom Audit Name fields until a patch is available to prevent the injection of JavaScript payloads. Restrict access to the audit creation feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
My Site Audit