CVE-2021-24525

State: PUBLISHED · Published: 2021-09-20 · Updated: 2024-08-03 · Assigner: WPScan

Description

The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).

CWE

CWE-79 — CWE-79 Cross-site Scripting (XSS)

Affected

Unknown / WordPress Shortcodes Plugin — Shortcodes Ultimate — v=5.10.2 <5.10.2 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/7f5659bd-50c3-4725-95f4-cf88812acf1c x_refsource_MISC

Source

cvelistV5-main/cves/2021/24xxx/CVE-2021-24525.json