Vulnerability Description
The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Premio | Mystickymenu | < 2.5.2 |
Related Weaknesses (CWE)
References
- https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MySt
- https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583ExploitThird Party Advisory
- https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MySt
- https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583ExploitThird Party Advisory
FAQ
What is CVE-2021-24425?
CVE-2021-24425 is a vulnerability with a CVSS score of 4.8 (MEDIUM). The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight pri...
How severe is CVE-2021-24425?
CVE-2021-24425 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24425?
Check the references section above for vendor advisories and patch information. Affected products include: Premio Mystickymenu.