Vulnerability Description
The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 3.7Designs | Project Status | <= 1.6 |
Related Weaknesses (CWE)
References
- https://codevigilant.com/disclosure/2021/wp-plugin-project-status/ExploitThird Party Advisory
- https://wpscan.com/vulnerability/ca5f2152-fcfd-492d-a552-f9604011beffExploitThird Party Advisory
- https://codevigilant.com/disclosure/2021/wp-plugin-project-status/ExploitThird Party Advisory
- https://wpscan.com/vulnerability/ca5f2152-fcfd-492d-a552-f9604011beffExploitThird Party Advisory
FAQ
What is CVE-2021-24558?
CVE-2021-24558 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in ...
How severe is CVE-2021-24558?
CVE-2021-24558 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24558?
Check the references section above for vendor advisories and patch information. Affected products include: 3.7Designs Project Status.