CVE-2021-39332 - Vulnerability Details

CVE-2021-39332 - Business Manager – WordPress ERP, HR, CRM, and Project Management Plugin <= 1.4.5 Authenticated Stored Cross-Site Scripting

The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00288.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Linksoftwarellc Subscribe	Business Manager Subscribe

Configuration 1 [-]

cpe:2.3:a:linksoftwarellc:business_manager:*:*:*:*:*:wordpress:*:*

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-25693	The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Fixes

Solution

Uninstall plugin from WordPress site.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39332

History

Fri, 14 Feb 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2021-10-15T12:15:15.115Z

Updated: 2025-02-14T18:10:57.252Z

Reserved: 2021-08-20T00:00:00.000Z

Link: CVE-2021-39332

Vulnrichment

Updated: 2024-08-04T02:06:41.542Z

NVD

Status : Modified

Published: 2021-10-15T13:15:07.600

Modified: 2024-11-21T06:19:15.317

Link: CVE-2021-39332

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object