CVE-2021-24425 - OpenCVE

The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Premio	Mystickymenu

Configuration 1 [-]

cpe:2.3:a:premio:mystickymenu:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt
https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-08-02T10:31:54

Updated: 2024-08-03T19:28:23.900Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24425

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-02T11:15:08.750

Modified: 2023-11-07T03:31:13.560

Link: CVE-2021-24425

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu", "vendor": "Unknown", "versions": [{"lessThan": "2.5.2", "status": "affected", "version": "2.5.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "m0ze"}], "descriptions": [{"lang": "en", "value": "The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-02T10:31:54", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"}, {"tags": ["x_refsource_MISC"], "url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"}], "source": {"discovery": "UNKNOWN"}, "title": "myStickymenu < 2.5.2 - Authenticated Stored XSS", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24425", "STATE": "PUBLIC", "TITLE": "myStickymenu < 2.5.2 - Authenticated Stored XSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu", "version": {"version_data": [{"version_affected": "<", "version_name": "2.5.2", "version_value": "2.5.2"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "m0ze"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"}, {"name": "https://m0ze.ru/vulnerability/[2021-05-21]-[WordPress]-[CWE-79]-MyStickymenu-WordPress-Plugin-v2.5.1.txt", "refsource": "MISC", "url": "https://m0ze.ru/vulnerability/[2021-05-21]-[WordPress]-[CWE-79]-MyStickymenu-WordPress-Plugin-v2.5.1.txt"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:28:23.900Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24425", "datePublished": "2021-08-02T10:31:54", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:28:23.900Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:premio:mystickymenu:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A1E3B4BD-64BE-4CA3-A214-613784F456FC", "versionEndExcluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)"}, {"lang": "es", "value": "Los plugins Floating Notification Bar, Sticky Menu on Scroll, y Sticky Header for Any Theme \u00e2\u20ac\u201c myStickymenu de WordPress versiones anteriores a 2.5.2, no sanea o escapa de la configuraci\u00f3n de su Barra de Texto, permitiendo a usuarios con altos privilegios usar JavaScript malicioso en ella, conllevando a un problema de tipo Cross-Site Scripting Almacenado, que ser\u00e1 desencadenado en la configuraci\u00f3n del plugin, as\u00ed como en toda la p\u00e1gina principal del blog (cuando la Barra de Bienvenida est\u00e1 activa)"}], "id": "CVE-2021-24425", "lastModified": "2023-11-07T03:31:13.560", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-02T11:15:08.750", "references": [{"source": "contact@wpscan.com", "url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "contact@wpscan.com", "type": "Primary"}]}