CVE-2021-24234

State: PUBLISHED · Published: 2021-04-22 · Updated: 2024-08-03 · Assigner: WPScan

Description

The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack.

CWE

CWE-79 — CWE-79 Cross-site Scripting (XSS)

Affected

Unknown / Ivory Search – WordPress Search Plugin — v=4.6.1 <4.6.1 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/ecc620be-8e29-4860-9d32-86b5814a3835 x_refsource_CONFIRM
https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-in-ivory-search-wp-plugin/ x_refsource_MISC
https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-ivory-search-plugin/ x_refsource_MISC

Source

cvelistV5-main/cves/2021/24xxx/CVE-2021-24234.json