CVE-2021-25026

State: PUBLISHED · Published: 2022-03-14 · Updated: 2024-08-03 · Assigner: WPScan

Description

The Patreon WordPress plugin before 1.8.2 does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CWE

CWE-79 — CWE-79 Cross-site Scripting (XSS)

Affected

Unknown / Patreon WordPress — v=1.8.2 <1.8.2 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/02756dd3-832a-4846-b9e1-a34f148b5cfe x_refsource_MISC
https://plugins.trac.wordpress.org/changeset/2682069 x_refsource_CONFIRM

Source

cvelistV5-main/cves/2021/25xxx/CVE-2021-25026.json