1. Home
  2. CVE Database
  3. CVE-2021-24988
MEDIUM · 5.4

CVE-2021-24988

The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_...

Vulnerability Description

The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
WprssaggregatorWp Rss Aggregator< 4.19.3

Related Weaknesses (CWE)

CWE-79CWE-862CWE-352

References

FAQ

What is CVE-2021-24988?

CVE-2021-24988 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_...

How severe is CVE-2021-24988?

CVE-2021-24988 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24988?

Check the references section above for vendor advisories and patch information. Affected products include: Wprssaggregator Wp Rss Aggregator.