Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for flat_preloader by flat_preloader_project
FKIE_CVE-2021-24789
Vulnerability from fkie_nvd - Published: 2021-11-01 09:15 - Updated: 2024-11-21 05:53
Severity ?
Summary
The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| flat_preloader_project | flat_preloader | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:flat_preloader_project:flat_preloader:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "151A3203-E993-4AA3-8798-80F2FAC0EDCB",
"versionEndExcluding": "1.5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed"
},
{
"lang": "es",
"value": "El plugin Flat Preloader de WordPress versiones anteriores a 1.5.5, no escapa de algunas de sus configuraciones cuando las emite en un atributo en el frontend, que podr\u00eda permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no est\u00e1 permitida"
}
],
"id": "CVE-2021-24789",
"lastModified": "2024-11-21T05:53:46.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-01T09:15:09.357",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-24685
Vulnerability from fkie_nvd - Published: 2021-11-01 09:15 - Updated: 2024-11-21 05:53
Severity ?
Summary
The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| flat_preloader_project | flat_preloader | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:flat_preloader_project:flat_preloader:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "21614270-86EC-4080-8CBB-D2708C96FBDC",
"versionEndExcluding": "1.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)"
},
{
"lang": "es",
"value": "El plugin Flat Preloader de WordPress versiones anteriores a 1.5.4, no aplica la comprobaci\u00f3n de nonce cuando guarda su configuraci\u00f3n, ni sanea ni escapa de ella, lo que podr\u00eda permitir a atacantes hacer que un administrador con sesi\u00f3n iniciada la cambie con una carga \u00fatil de tipo Cross-Site Scripting (desencadenada en el frontend o en el backend, dependiendo de la carga \u00fatil)"
}
],
"id": "CVE-2021-24685",
"lastModified": "2024-11-21T05:53:33.693",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-01T09:15:08.727",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
CVE-2021-24789 (GCVE-0-2021-24789)
Vulnerability from cvelistv5 – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
VLAI?
Title
Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting
Summary
The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Flat Preloader |
Affected:
1.5.5 , < 1.5.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Flat Preloader",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.5.5",
"status": "affected",
"version": "1.5.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "apple502j"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T08:46:23.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Flat Preloader \u003c 1.5.5 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24789",
"STATE": "PUBLIC",
"TITLE": "Flat Preloader \u003c 1.5.5 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Flat Preloader",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.5.5",
"version_value": "1.5.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "apple502j"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24789",
"datePublished": "2021-11-01T08:46:23.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:42:17.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24685 (GCVE-0-2021-24685)
Vulnerability from cvelistv5 – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
VLAI?
Title
Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting
Summary
The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Flat Preloader |
Affected:
1.5.4 , < 1.5.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:15.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Flat Preloader",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.5.4",
"status": "affected",
"version": "1.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "apple502j"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T08:46:06.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Flat Preloader \u003c 1.5.4 - CSRF to Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24685",
"STATE": "PUBLIC",
"TITLE": "Flat Preloader \u003c 1.5.4 - CSRF to Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Flat Preloader",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.5.4",
"version_value": "1.5.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "apple502j"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24685",
"datePublished": "2021-11-01T08:46:06.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:42:15.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24789 (GCVE-0-2021-24789)
Vulnerability from nvd – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
VLAI?
Title
Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting
Summary
The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Flat Preloader |
Affected:
1.5.5 , < 1.5.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Flat Preloader",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.5.5",
"status": "affected",
"version": "1.5.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "apple502j"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T08:46:23.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Flat Preloader \u003c 1.5.5 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24789",
"STATE": "PUBLIC",
"TITLE": "Flat Preloader \u003c 1.5.5 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Flat Preloader",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.5.5",
"version_value": "1.5.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "apple502j"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e8550ccd-3898-4e27-aca9-ade89823ff4d"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24789",
"datePublished": "2021-11-01T08:46:23.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:42:17.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24685 (GCVE-0-2021-24685)
Vulnerability from nvd – Published: 2021-11-01 08:46 – Updated: 2024-08-03 19:42
VLAI?
Title
Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting
Summary
The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Flat Preloader |
Affected:
1.5.4 , < 1.5.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:15.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Flat Preloader",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.5.4",
"status": "affected",
"version": "1.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "apple502j"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T08:46:06.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Flat Preloader \u003c 1.5.4 - CSRF to Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24685",
"STATE": "PUBLIC",
"TITLE": "Flat Preloader \u003c 1.5.4 - CSRF to Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Flat Preloader",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.5.4",
"version_value": "1.5.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "apple502j"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24685",
"datePublished": "2021-11-01T08:46:06.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:42:15.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}