First published: Mon Jan 24 2022(Updated: )
The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Tipsandtricks-hq Simple Download Monitor | <3.9.11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-24694 refers to a vulnerability in the Simple Download Monitor WordPress plugin that allows users with low privileges to perform Stored Cross-Site Scripting attacks.
The severity of CVE-2021-24694 is rated as medium with a CVSS score of 5.4.
CVE-2021-24694 allows users with a role as low as Contributor to exploit certain arguments of shortcodes in the Simple Download Monitor plugin, leading to Stored Cross-Site Scripting attacks.
Versions up to and excluding 3.9.11 of the Simple Download Monitor plugin are affected by CVE-2021-24694.
Yes, upgrading to version 3.9.11 or higher of the Simple Download Monitor plugin fixes the CVE-2021-24694 vulnerability.