Vulnerability Description
The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Admincolumns | Admin Columns | < 4.3.2 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/fdbeb137-b404-46c7-85fb-394a3bdac388ExploitThird Party Advisory
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-032.tExploitThird Party Advisory
- https://wpscan.com/vulnerability/fdbeb137-b404-46c7-85fb-394a3bdac388ExploitThird Party Advisory
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-032.tExploitThird Party Advisory
FAQ
What is CVE-2021-24365?
CVE-2021-24365 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbit...
How severe is CVE-2021-24365?
CVE-2021-24365 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24365?
Check the references section above for vendor advisories and patch information. Affected products include: Admincolumns Admin Columns.