1. Home
  2. CVE Database
  3. CVE-2021-24494
MEDIUM · 5.4

CVE-2021-24494

The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to ...

Vulnerability Description

The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
DeliciousbrainsWp Offload Ses Lite< 1.4.5

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2021-24494?

CVE-2021-24494 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to ...

How severe is CVE-2021-24494?

CVE-2021-24494 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24494?

Check the references section above for vendor advisories and patch information. Affected products include: Deliciousbrains Wp Offload Ses Lite.