{"vulnerability": "CVE-2021-2454", "sightings": [{"uuid": "055112ed-7937-4d72-984e-d47f5b010a53", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24545", "type": "seen", "source": "https://t.me/cibsecurity/30317", "content": "\u203c CVE-2021-24545 \u203c\n\nThe WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-11T14:24:32.000000Z"}, {"uuid": "969a063a-055b-465d-ab83-bb93f8f4e4e5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24544", "type": "seen", "source": "https://t.me/cibsecurity/31129", "content": "\u203c CVE-2021-24544 \u203c\n\nThe Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-25T18:13:54.000000Z"}, {"uuid": "a62783fd-3ac9-4ccf-8cda-c594593bd09e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24546", "type": "seen", "source": "https://t.me/cibsecurity/30319", "content": "\u203c CVE-2021-24546 \u203c\n\nThe Gutenberg Block Editor Toolkit \u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u20ac\u0153 EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-11T14:24:34.000000Z"}, {"uuid": "b7b7413c-578d-4b12-9628-047dad74d2f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24547", "type": "seen", "source": "https://t.me/cibsecurity/27694", "content": "\u203c CVE-2021-24547 \u203c\n\nThe KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-23T16:23:13.000000Z"}, {"uuid": "fdf4a4d7-8328-415a-a016-b4929c2498ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24548", "type": "seen", "source": "https://t.me/cibsecurity/27365", "content": "\u203c CVE-2021-24548 \u203c\n\nThe Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the \"Default Publisher ID\" field on the plugin's settings page.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-16T14:14:46.000000Z"}, {"uuid": "4962e796-b642-463a-9609-d9330c931f44", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24549", "type": "seen", "source": "https://t.me/cibsecurity/27685", "content": "\u203c CVE-2021-24549 \u203c\n\nThe AceIDE WordPress plugin through 2.6.2 does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory via a path traversal attack.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-23T16:23:01.000000Z"}, {"uuid": "a1bbdc6d-e274-488e-a35a-876dce08955f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24541", "type": "seen", "source": "https://t.me/cibsecurity/27361", "content": "\u203c CVE-2021-24541 \u203c\n\nThe Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-16T14:14:43.000000Z"}, {"uuid": "9dbec688-435b-48dc-a244-ac5db4658160", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24540", "type": "seen", "source": "https://t.me/cibsecurity/27354", "content": "\u203c CVE-2021-24540 \u203c\n\nThe Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-16T14:14:33.000000Z"}]}