Description

The Admin Columns WordPress plugin before 4.3 and Admin Columns Pro WordPress plugin before 5.5.1 do not sanitise and escape its Label settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Related CPE's

a

admincolumns

admin_columns

2

References

https://github.com/codepress/admin-columns/commit/b45571ed21d574d13687213a5002e0c68e4442c7

https://wpscan.com/vulnerability/05427156-4d5c-4aeb-add8-1c574fda5c28

ExploitThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-24366

ExploitThird Party Advisory

Weaknesses

Could not find any weaknesses

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.4 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-06-21T20:15:08.490

4 years ago

Last modified

2023-11-07T09:15:07.017

1 year ago