Published: 11/10/2021 Updated: 19/02/2022

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

The Frontend Uploader WordPress plugin up to and including 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly

Vulnerable Product	Search on Vulmon	Subscribe to Product
frontend uploader project frontend uploader

WordPress Frontend Uploader plugin version 132 suffers from a persistent cross site scripting vulnerability ...

The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly

CVE-2021-24563 Frontend Uploader <= 132 - Unauthenticated Stored Cross-Site Scripting The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly Proof of Concept In a page/posts where the [fu-upload

CWE-79 https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1 http://packetstormsecurity.com/files/165515/WordPress-Frontend-Uploader-1.3.2-Cross-Site-Scripting.html https://nvd.nist.gov https://github.com/V35HR4J/CVE-2021-24563 https://packetstormsecurity.com/files/165515/WordPress-Frontend-Uploader-1.3.2-Cross-Site-Scripting.html

CVE-2021-24563

Vulnerability Summary

Vulnerability Trend

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect