{"containers": {"cna": {"affected": [{"product": "WordPress File Upload", "vendor": "Unknown", "versions": [{"lessThan": "4.16.3", "status": "affected", "version": "4.16.3", "versionType": "custom"}]}, {"product": "wordpress-file-upload-pro", "vendor": "Unknown", "versions": [{"lessThan": "4.16.3", "status": "affected", "version": "4.16.3", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "apple502j"}], "descriptions": [{"lang": "en", "value": "The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-07T08:16:10.000Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/18902832-2973-498d-808e-c75d1aedc11e"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://plugins.trac.wordpress.org/changeset/2677722"}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24960", "STATE": "PUBLIC", "TITLE": "WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WordPress File Upload", "version": {"version_data": [{"version_affected": "<", "version_name": "4.16.3", "version_value": "4.16.3"}]}}, {"product_name": "wordpress-file-upload-pro", "version": {"version_data": [{"version_affected": "<", "version_name": "4.16.3", "version_value": "4.16.3"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "apple502j"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/18902832-2973-498d-808e-c75d1aedc11e", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/18902832-2973-498d-808e-c75d1aedc11e"}, {"name": "https://plugins.trac.wordpress.org/changeset/2677722", "refsource": "CONFIRM", "url": "https://plugins.trac.wordpress.org/changeset/2677722"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:49:13.982Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/18902832-2973-498d-808e-c75d1aedc11e"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://plugins.trac.wordpress.org/changeset/2677722"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24960", "datePublished": "2022-03-07T08:16:10.000Z", "dateReserved": "2021-01-14T00:00:00.000Z", "dateUpdated": "2024-08-03T19:49:13.982Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:iptanus:wordpress_file_upload:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "78B66CF0-2ED9-4F5A-A20D-3B082627BEBA", "versionEndExcluding": "4.16.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:iptanus:wordpress_file_upload_pro:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0E8A6720-FF2B-4F6C-85C7-DBCCD9465DE6", "versionEndExcluding": "4.16.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks"}, {"lang": "es", "value": "El plugin WordPress File Upload de WordPress versiones anteriores a 4.16.3, el plugin wordpress-file-upload-pro de WordPress versiones anteriores a 4.16.3, permite a usuarios con un rol tan bajo como el de Contributor configurar el formulario de subida de una manera que permite subir archivos SVG, que podr\u00edan ser usados para ataques de tipo Cross-Site Scripting"}], "id": "CVE-2021-24960", "lastModified": "2024-11-21T05:54:05.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-07T09:15:08.417", "references": [{"source": "contact@wpscan.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/changeset/2677722"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/18902832-2973-498d-808e-c75d1aedc11e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/changeset/2677722"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/18902832-2973-498d-808e-c75d1aedc11e"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "contact@wpscan.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}