Lucene search

K
cve[email protected]CVE-2021-24433
HistoryJan 16, 2024 - 4:15 p.m.

CVE-2021-24433

2024-01-1616:15:08
CWE-79
web.nvd.nist.gov
15
wordpress
cve-2021-24433
xss
security vulnerability
plugin

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

14.2%

The simple sort&search WordPress plugin through 0.0.3 does not make sure that the indexurl parameter of the shortcodes “category_sims”, “order_sims”, “orderby_sims”, “period_sims”, and “tag_sims” use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor

Affected configurations

Vulners
NVD
Node
yukimichisimple_sort\&searchRange0.0.3
VendorProductVersionCPE
yukimichisimple_sort\&search*cpe:2.3:a:yukimichi:simple_sort\&search:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "simple sort&search",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThanOrEqual": "0.0.3"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

14.2%