Vulnerability Description
An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpbakery Page Builder Clipboard Project | Wpbakery Page Builder Clipboard | >= 4.5.0, < 4.5.6 |
Related Weaknesses (CWE)
References
- https://codecanyon.net/item/visual-composer-clipboard/8897711ProductThird Party Advisory
- https://wpscan.com/vulnerability/3bc0733a-b949-40c9-a5fb-f56814fc4af3ExploitThird Party Advisory
- https://codecanyon.net/item/visual-composer-clipboard/8897711ProductThird Party Advisory
- https://wpscan.com/vulnerability/3bc0733a-b949-40c9-a5fb-f56814fc4af3ExploitThird Party Advisory
FAQ
What is CVE-2021-24243?
CVE-2021-24243 is a vulnerability with a CVSS score of 5.4 (MEDIUM). An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscrib...
How severe is CVE-2021-24243?
CVE-2021-24243 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24243?
Check the references section above for vendor advisories and patch information. Affected products include: Wpbakery Page Builder Clipboard Project Wpbakery Page Builder Clipboard.