CVE-2021-25060: Five Star Business Profile and Schema < 2.1.7 - Subscriber+ Page Creation & Settings Update to Stored XSS
First published: Mon Feb 21 2022(Updated: )
The Five Star Business Profile and Schema WordPress plugin before 2.1.7 does not have any authorisation and CSRF in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting issues
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Five Star Business Profile And Schema | <2.1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for Five Star Business Profile and Schema WordPress plugin?
The vulnerability ID for Five Star Business Profile and Schema WordPress plugin is CVE-2021-25060.
What is the severity rating of CVE-2021-25060?
CVE-2021-25060 has a severity rating of medium (5.4).
What is the affected software for CVE-2021-25060?
The affected software for CVE-2021-25060 is Five Star Business Profile and Schema WordPress plugin version up to 2.1.7.
What is the CWE ID for CVE-2021-25060?
The CWE ID for CVE-2021-25060 is CWE-352 and CWE-79.
Is there a fix available for CVE-2021-25060?
Yes, updating the Five Star Business Profile and Schema WordPress plugin to version 2.1.7 or higher will fix the vulnerability.
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/title
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/fivestarplugins
- canonical/five star business profile and schema