CVE-2021-24874: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.31 - Reflected Cross-Site Scripting
First published: Mon Feb 14 2022(Updated: )
The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
Credit: contact@wpscan.com contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Brevo | <3.1.31 | |
| Sendinblue | <3.1.31 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-24874?
CVE-2021-24874 is a vulnerability found in the Newsletter SMTP Email marketing and Subscribe forms by Sendinblue WordPress plugin before version 3.1.31.
What is the severity of CVE-2021-24874?
The severity of CVE-2021-24874 is medium, with a CVSS score of 6.1.
How does CVE-2021-24874 affect the affected software?
CVE-2021-24874 affects the Sendinblue Newsletter, SMTP, Email marketing and Subscribe forms WordPress plugin before version 3.1.31.
What is the CWE classification for CVE-2021-24874?
CVE-2021-24874 has a CWE classification of CWE-79, which is a category for Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
How can I fix CVE-2021-24874?
To fix CVE-2021-24874, you should update the Sendinblue WordPress plugin to version 3.1.31 or later.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/author
- agent/last-modified-date
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- vendor/brevo
- canonical/brevo
- vendor/sendinblue
- canonical/sendinblue