First published: Mon Dec 06 2021(Updated: )
The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Soflyy Wp All Import | <3.6.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-24714 is a vulnerability in the Import any XML or CSV File to WordPress plugin before version 3.6.3 that allows high privilege users to perform Cross-Site attacks.
CVE-2021-24714 affects the Import any XML or CSV File to WordPress plugin, potentially allowing high privilege users to perform Cross-Site attacks.
CVE-2021-24714 has a severity rating of medium with a CVSS score of 4.8.
Versions of the Import any XML or CSV File to WordPress plugin up to but exclusive of 3.6.3 are affected by CVE-2021-24714.
To fix CVE-2021-24714, update the Import any XML or CSV File to WordPress plugin to version 3.6.3 or later.