Vulnerability Description
The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tammersoft | Shared Files | < 1.6.61 |
Related Weaknesses (CWE)
References
- https://mikadmin.fr/tech/XSS-Stored-Shared-Files-a837703ad010d111be11ffdf478aa61ExploitThird Party Advisory
- https://wpscan.com/vulnerability/8fd483fb-d399-4b4f-b4ef-bbfad1b5cf1bExploitThird Party Advisory
- https://mikadmin.fr/tech/XSS-Stored-Shared-Files-a837703ad010d111be11ffdf478aa61ExploitThird Party Advisory
- https://wpscan.com/vulnerability/8fd483fb-d399-4b4f-b4ef-bbfad1b5cf1bExploitThird Party Advisory
FAQ
What is CVE-2021-24856?
CVE-2021-24856 is a vulnerability with a CVSS score of 4.8 (MEDIUM). The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even whe...
How severe is CVE-2021-24856?
CVE-2021-24856 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24856?
Check the references section above for vendor advisories and patch information. Affected products include: Tammersoft Shared Files.