CVE-2021-24272

🗓️ 05 May 2021 18:28:47Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 3 Media mentions👁 111 Views🌐 WEB

The fitness calculators WordPress plugin before 1.9.6 allows CSRF attacks and Stored XSS

Reporter	Title	Published	Views	Family All 13
0day.today	WordPress Fitness Calculators 1.9.5 Plugin - Cross-Site Request Forgery Vulnerability	23 Sep 202100:00	–	zdt
CNNVD	WordPress fitness calculators 跨站请求伪造漏洞	5 May 202100:00	–	cnnvd
Cvelist	CVE-2021-24272 Fitness Calculators < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS)	5 May 202118:28	–	cvelist
Exploit DB	WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)	23 Sep 202100:00	–	exploitdb
EUVD	EUVD-2021-11186	7 Oct 202500:30	–	euvd
NVD	CVE-2021-24272	5 May 202119:15	–	nvd
OSV	CVE-2021-24272	5 May 202119:15	–	osv
Packet Storm	WordPress Fitness Calculators 1.9.5 Cross Site Request Forgery	23 Sep 202100:00	–	packetstorm
Patchstack	WordPress fitness calculators plugin <= 1.9.5 - Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability	14 Apr 202100:00	–	patchstack
Prion	Cross site scripting	5 May 202119:15	–	prion

NVD

Vulners

Node

codeinitiator fitness_calculatorsRange<1.9.6wordpress

[
  {
    "product": "fitness calculators",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "1.9.6",
        "status": "affected",
        "version": "1.9.6",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
packetstormsecurity	www.packetstormsecurity.com/files/164261/WordPress-Fitness-Calculators-1.9.5-Cross-Site-Request-Forgery.html
wpscan	www.wpscan.com/vulnerability/e643040b-1f3b-4c13-8a20-acfd069dcc4f

Parameter	Position	Path	Description	CWE
fcw[fcw_heading]	request body	/wp-admin/admin.php?page=fcp_dashboard&tab=water	Stored XSS vector via unsanitized input in calculator header due to CSRF weakness	CWE-352

21 Nov 2024 05:52Current

4.3Medium risk

Vulners AI Score4.3

CVSS 3.14.3

CVSS 24.3

EPSS0.00245

CWE-352