{"vulnerability": "CVE-2021-2438", "sightings": [{"uuid": "18b812a0-2d99-4634-ba9b-6d2e35ba374f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24387", "type": "confirmed", "source": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2021/CVE-2021-24387.yaml", "content": "", "creation_timestamp": "2023-04-27T09:58:59.000000Z"}, {"uuid": "88b9a5f5-1edd-437f-af12-23c6c2859f3f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24388", "type": "seen", "source": "https://t.me/arpsyndicate/1648", "content": "#ExploitObserverAlert\n\nCVE-2021-24388\n\nDESCRIPTION: Exploit Observer has 3 entries related to CVE-2021-24388. In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.\n\nFIRST-EPSS: 0.000530000\nNVD-IS: 2.7\nNVD-ES: 2.3", "creation_timestamp": "2023-12-10T15:50:06.000000Z"}, {"uuid": "54dcff0f-3f5f-4b78-bc2b-cf09e11f1fd7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24388", "type": "seen", "source": "https://t.me/arpsyndicate/549", "content": "#ExploitObserverAlert\n\nCVE-2021-24388\n\nDESCRIPTION: Exploit Observer has 3 entries related to CVE-2021-24388. In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.\n\nFIRST-EPSS: 0.000530000\nNVD-IS: 2.7\nNVD-ES: 2.3", "creation_timestamp": "2023-11-24T23:07:48.000000Z"}, {"uuid": "238f9e58-a8a1-40de-9880-bb3cf92b61c8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24380", "type": "seen", "source": "https://t.me/cibsecurity/27367", "content": "\u203c CVE-2021-24380 \u203c\n\nThe Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-16T14:14:51.000000Z"}, {"uuid": "6f79a7cb-aae8-4f28-9a8e-5ca446d0736d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24386", "type": "seen", "source": "https://t.me/cibsecurity/25922", "content": "\u203c CVE-2021-24386 \u203c\n\nThe WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-07-06T14:36:42.000000Z"}, {"uuid": "e5d9b829-ac7b-4d03-8ad9-a842b119186d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24389", "type": "seen", "source": "https://t.me/cibsecurity/25921", "content": "\u203c CVE-2021-24389 \u203c\n\nThe WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-07-06T14:36:41.000000Z"}, {"uuid": "babdc6f3-e5e6-4449-8f65-cf2d0925f35a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24382", "type": "seen", "source": "Telegram/RJP6DRxW8JxNsKVsFrXRoDba5rXUJUimSufbf4OULVkKBz8", "content": "", "creation_timestamp": "2021-06-14T20:19:25.000000Z"}, {"uuid": "976deaed-369c-4b5e-a164-9aaa84f1ced9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24383", "type": "seen", "source": "https://t.me/pwnwiki_zhchannel/701", "content": "CVE-2021-24383 WordPress Plugin WP Google Maps 8.1.11 XSS\u6f0f\u6d1e\nhttps://www.pwnwiki.org/index.php?title=CVE-2021-24383_WordPress_Plugin_WP_Google_Maps_8.1.11_XSS%E6%BC%8F%E6%B4%9E", "creation_timestamp": "2021-09-21T04:42:25.000000Z"}]}