CVE-2021-24538 - Vulnerability Details - OpenCVE

The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Current Book Project	Current Book

Configuration 1 [-]

cpe:2.3:a:current_book_project:current_book:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/f9911a43-0f4c-403f-9fca-7822eb693317

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-08-16T10:48:31

Updated: 2024-08-03T19:35:20.035Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24538

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-16T11:15:09.107

Modified: 2024-11-21T05:53:15.620

Link: CVE-2021-24538

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Current Book", "vendor": "Unknown", "versions": [{"lessThanOrEqual": "1.0.1", "status": "affected", "version": "1.0.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Vikas Srivastava"}], "descriptions": [{"lang": "en", "value": "The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-16T10:48:31", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/f9911a43-0f4c-403f-9fca-7822eb693317"}], "source": {"discovery": "UNKNOWN"}, "title": "Current Book <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS)", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24538", "STATE": "PUBLIC", "TITLE": "Current Book <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Current Book", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.0.1", "version_value": "1.0.1"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Vikas Srivastava"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/f9911a43-0f4c-403f-9fca-7822eb693317", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/f9911a43-0f4c-403f-9fca-7822eb693317"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:35:20.035Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/f9911a43-0f4c-403f-9fca-7822eb693317"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24538", "datePublished": "2021-08-16T10:48:31", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:35:20.035Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:current_book_project:current_book:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C289C5BF-E8E0-4F76-889A-253E223F02E0", "versionEndIncluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue."}, {"lang": "es", "value": "El plugin de WordPress Current Book versiones hasta 1.0.1, no sanea la entrada del usuario cuando un usuario autenticado a\u00f1ade el autor o el t\u00edtulo del libro, y luego no escapa de estos valores cuando se env\u00edan al navegador, conllevando a un problema de tipo XSS Almacenado Autenticado."}], "id": "CVE-2021-24538", "lastModified": "2024-11-21T05:53:15.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-16T11:15:09.107", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/f9911a43-0f4c-403f-9fca-7822eb693317"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/f9911a43-0f4c-403f-9fca-7822eb693317"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "contact@wpscan.com", "type": "Secondary"}]}