CVE-2021-24792

State: PUBLISHED · Published: 2021-12-13 · Updated: 2024-08-03 · Assigner: WPScan

Description

The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.

CWE

CWE-79 — CWE-79 Cross-site Scripting (XSS)

Affected

Unknown / Shiny Buttons – CSS3 Button Generator for WordPress — v=1.1.0 ≤1.1.0 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/29514d8e-9d1c-4fb6-b378-f6b7374989ca x_refsource_MISC

Source

cvelistV5-main/cves/2021/24xxx/CVE-2021-24792.json