Vulnerability Description
The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextendweb | Smart Slider | >= 3.0, < 3.5.0.9 |
Related Weaknesses (CWE)
References
- https://smartslider.helpscoutdocs.com/article/1746-changelogPatchVendor Advisory
- https://wpscan.com/vulnerability/7b32a282-e51f-4ee5-b59f-5ba10e62a54dExploitThird Party Advisory
- https://smartslider.helpscoutdocs.com/article/1746-changelogPatchVendor Advisory
- https://wpscan.com/vulnerability/7b32a282-e51f-4ee5-b59f-5ba10e62a54dExploitThird Party Advisory
FAQ
What is CVE-2021-24382?
CVE-2021-24382 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, on...
How severe is CVE-2021-24382?
CVE-2021-24382 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24382?
Check the references section above for vendor advisories and patch information. Affected products include: Nextendweb Smart Slider.