Lucene search

[email protected]CVE-2021-24528

HistoryAug 30, 2021 - 3:15 p.m.

CVE-2021-24528

2021-08-3015:15:07

CWE-79

[email protected]

web.nvd.nist.gov

fluentsmtp

wordpress plugin

xss

cross-site scripting

cve-2021-24528

nvd

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

25.0%

JSON

The FluentSMTP WordPress plugin before 2.0.1 does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting (XSS) vulnerability. Only users with roles capable of managing plugins can modify the plugin’s settings.

Affected configurations

Vulners

NVD

Node

photoboxonesmtp_mailRange<2.0.1

VendorProductVersionCPE
photoboxonesmtp_mail*cpe:2.3:a:photoboxone:smtp_mail:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
photoboxone	smtp_mail	*	cpe:2.3:a:photoboxone:smtp_mail::::::::

CNA Affected

[
  {
    "product": "FluentSMTP – WordPress Mail SMTP, SES, SendGrid, Mailgun and Any SMTP Plugin",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "2.0.1",
        "status": "affected",
        "version": "2.0.1",
        "versionType": "custom"
      }
    ]
  }
]