CVE-2021-24773: WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Site Scripting
First published: Mon Nov 01 2021(Updated: )
The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress Download Manager | <3.2.16 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2021-24773?
CVE-2021-24773 has been classified as a high severity vulnerability due to its potential for XSS attacks.
How do I fix CVE-2021-24773?
To mitigate CVE-2021-24773, update the WordPress Download Manager plugin to version 3.2.16 or later.
Who is affected by CVE-2021-24773?
CVE-2021-24773 affects users of the WordPress Download Manager plugin prior to version 3.2.16.
What type of attack does CVE-2021-24773 enable?
CVE-2021-24773 allows high privilege users to perform cross-site scripting (XSS) attacks.
Is unfiltered_html capability a factor in CVE-2021-24773?
CVE-2021-24773 can be exploited regardless of whether the unfiltered_html capability is disallowed for users.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/title
- agent/description
- agent/references
- agent/first-publish-date
- agent/severity
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/wpdownloadmanager
- canonical/wordpress download manager