CVE-2021-24756

🗓️ 13 Dec 2021 10:40:47Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 6 Media mentions👁 51 Views🌐 WEB

The WP System Log WordPress plugin before 1.0.21 is vulnerable to Cross-Site Scriptin

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2021-24756	13 Dec 202114:24	–	circl
CNNVD	WordPress 插件跨站脚本漏洞	13 Dec 202100:00	–	cnnvd
CNVD	WordPress WP System Log plugin cross-site scripting vulnerability	18 Dec 202100:00	–	cnvd
Cvelist	CVE-2021-24756 WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting	13 Dec 202110:40	–	cvelist
NVD	CVE-2021-24756	13 Dec 202111:15	–	nvd
Patchstack	WordPress WP System Log plugin <= 1.0.20 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability	15 Nov 202100:00	–	patchstack
Prion	Cross site scripting	13 Dec 202111:15	–	prion
RedhatCVE	CVE-2021-24756	22 May 202518:24	–	redhatcve
wpexploit	WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting	15 Nov 202100:00	–	wpexploit
WPVulnDB	WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting	15 Nov 202100:00	–	wpvulndb

NVD

Vulners

Node

wp_system_log_project wp_system_logRange<1.0.21wordpress

[
  {
    "product": "WP System Log",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "1.0.21",
        "status": "affected",
        "version": "1.0.21",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/0cea0717-8f54-4f1c-b3ee-aff7dd91bf59

Parameter	Position	Path	Description	CWE
X-Forwarded-For	header	/wp-login.php	IP address from login requests not sanitised/escaped before output to logs/admin dashboard, enabling XSS via crafted header.	CWE-79
X-Forwarded-For	header	/wp-admin/admin.php?page=winteractivitylog	XSS appears in the Activity Log dashboard when log data (IP) is displayed, due to lack of sanitisation/escaping.	CWE-79

21 Nov 2024 05:53Current

6Medium risk

Vulners AI Score6

CVSS 24.3

CVSS 3.16.1

EPSS0.15849

CWE-79