CVE-2021-24714 WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting

2021-12-0615:55:23

CWE-79

WPScan

www.cve.org

cve-2021-24714

wp all import

admin

stored

cross-site scripting

xml

csv

wordpress

plugin

security

vulnerability

unfiltered html

EPSS

0.001

Percentile

24.8%

JSON

The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import’s Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.

CNA Affected

[
  {
    "product": "Import any XML or CSV File to WordPress",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "3.6.3",
        "status": "affected",
        "version": "3.6.3",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/a8d314b9-26ac-4b56-a85c-a2528e55e73a

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2021-24714