CVE-2021-34655

Name of the Vulnerable Software and Affected Versions: WP Songbook WordPress plugin versions up to and including 2.0.11 Custom Post Type Relations WordPress plugin versions up to and including 1.0

Description: The issue allows attackers to inject arbitrary web scripts via Reflected Cross-Site Scripting. In the WP Songbook WordPress plugin, this is possible through the url parameter in the ~/inc/class.ajax.php file. For the Custom Post Type Relations WordPress plugin, the vulnerability is exploited via the cptr[name] parameter in the ~/pages/admin-page.php file.

Recommendations: For WP Songbook WordPress plugin versions up to and including 2.0.11, update to a version later than 2.0.11 to resolve the issue. For Custom Post Type Relations WordPress plugin versions up to and including 1.0, update to a version later than 1.0 to resolve the issue. As a temporary workaround, consider restricting access to the ~/inc/class.ajax.php file in the WP Songbook WordPress plugin and the ~/pages/admin-page.php file in the Custom Post Type Relations WordPress plugin to minimize the risk of exploitation. Avoid using the url parameter in the affected WP Songbook WordPress plugin and the cptr[name] parameter in the Custom Post Type Relations WordPress plugin until the issue is resolved.