PT-2021-4129 · WordPress · Smart Email Alerts

P7E4

Published

2021-08-16

Updated

2021-08-23

CVE-2021-34642

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Smart Email Alerts WordPress plugin versions up to and including 1.0.10

Description The issue exists due to a lack of protection for the web page structure in the ~/views/settings.php file. This allows a remote attacker to inject arbitrary web scripts. The vulnerability is related to Reflected Cross-Site Scripting via the api key in the ~/views/settings.php file.

Recommendations For versions up to and including 1.0.10, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the api key parameter in the ~/views/settings.php file to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2021-04721

CVE-2021-34642

Affected Products

Smart Email Alerts

PT-2021-4129 · WordPress · Smart Email Alerts

CVE-2021-34642

Weakness Enumeration

Related Identifiers

Affected Products

References · 7