An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages.
References
Link | Resource |
---|---|
https://codecanyon.net/item/visual-composer-clipboard/8897711 | Product Third Party Advisory |
https://wpscan.com/vulnerability/3bc0733a-b949-40c9-a5fb-f56814fc4af3 | Exploit Third Party Advisory |
https://codecanyon.net/item/visual-composer-clipboard/8897711 | Product Third Party Advisory |
https://wpscan.com/vulnerability/3bc0733a-b949-40c9-a5fb-f56814fc4af3 | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 05:52
Type | Values Removed | Values Added |
---|---|---|
References | () https://codecanyon.net/item/visual-composer-clipboard/8897711 - Product, Third Party Advisory | |
References | () https://wpscan.com/vulnerability/3bc0733a-b949-40c9-a5fb-f56814fc4af3 - Exploit, Third Party Advisory |
Information
Published : 2021-05-06 13:15
Updated : 2024-11-21 05:52
NVD link : CVE-2021-24243
Mitre link : CVE-2021-24243
CVE.ORG link : CVE-2021-24243
JSON object : View
Products Affected
wpbakery_page_builder_clipboard_project
- wpbakery_page_builder_clipboard
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')