CVE-2021-24525: Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
First published: Mon Sep 20 2021(Updated: )
The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Shortcodes Ultimate by Vova Anokhin | <5.10.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-24525?
CVE-2021-24525 is a vulnerability in the Shortcodes Ultimate WordPress plugin that allows users with Contributor roles to perform stored XSS through shortcode attributes.
How can the Shortcodes Ultimate WordPress plugin version 5.10.2 be exploited?
The vulnerability in version 5.10.2 allows users with Contributor roles to perform stored XSS by using insecure shortcode attributes.
What is the severity of CVE-2021-24525?
The severity of CVE-2021-24525 is medium, with a CVSS score of 5.4.
Which versions of Shortcodes Ultimate WordPress plugin are affected by CVE-2021-24525?
Versions up to and excluding 5.10.2 of the Shortcodes Ultimate WordPress plugin are affected by CVE-2021-24525.
Is there a fix for CVE-2021-24525?
Yes, updating to version 5.10.2 of the Shortcodes Ultimate WordPress plugin will fix the vulnerability.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/getshortcodes
- canonical/shortcodes ultimate by vova anokhin