CVE-2021-24177: XSS
First published: Mon Apr 05 2021(Updated: )
In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Webdesi9 File Manager | <7.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-24177.
What is the severity of CVE-2021-24177?
The severity of CVE-2021-24177 is medium with a CVSS score of 5.4.
What is the affected software of CVE-2021-24177?
The affected software of CVE-2021-24177 is the File Manager WordPress plugin before version 7.1.
How does the vulnerability occur?
The vulnerability occurs when a payload is submitted on the User-Agent parameter of the /wp-admin/admin.php?page=wp_file_manager_properties endpoint, resulting in a reflected XSS attack.
Are there any references for CVE-2021-24177?
Yes, you can find references for CVE-2021-24177 at the following links: [Reference 1](https://n4nj0.github.io/advisories/wordpress-plugin-wp-file-manager-i/), [Reference 2](https://plugins.trac.wordpress.org/changeset/2476829/), [Reference 3](https://wpscan.com/vulnerability/1cf3d256-cf4b-4d1f-9ed8-e2cc6392d8d8).
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- vendor/webdesi9
- canonical/webdesi9 file manager