CVE-2021-36845

Name of the Vulnerable Software and Affected Versions YITH Maintenance Mode versions <= 1.3.8

Description Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities exist in the YITH Maintenance Mode WordPress plugin. There are 46 vulnerable parameters that were missed by the vendor while patching version 1.3.7 to 1.3.8. Vulnerable parameters include those in the "Newsletter", "General", "Background", "Logo", and "Socials" tabs. For example, the yith maintenance newsletter submit label parameter is vulnerable to XSS attacks, where a payload starting with a single quote symbol can break the context and trigger an alert when an admin visits the page.

Recommendations To resolve the issue for versions <= 1.3.8, update to a version greater than 1.3.8. As a temporary workaround, consider disabling the vulnerable parameters, such as yith maintenance newsletter submit label, yith maintenance message, yith maintenance custom style, and others, until a patch is available. Restrict access to the vulnerable tabs, including "Newsletter", "General", "Background", "Logo", and "Socials", to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.