1. Home
  2. CVE Database
  3. CVE-2021-24388
MEDIUM · 5.4

CVE-2021-24388

In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the...

Vulnerability Description

In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
E4JVikrentcar Car Rental Management System< 1.1.7

Related Weaknesses (CWE)

CWE-79CWE-352

References

FAQ

What is CVE-2021-24388?

CVE-2021-24388 is a vulnerability with a CVSS score of 5.4 (MEDIUM). In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the...

How severe is CVE-2021-24388?

CVE-2021-24388 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24388?

Check the references section above for vendor advisories and patch information. Affected products include: E4J Vikrentcar Car Rental Management System.