CVE-2021-25115

{"id": "CVE-2021-25115", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.1}]}, "published": "2022-02-14T12:15:15.490", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/2655859/wp-photo-album-plus", "tags": ["Patch", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/dbc18c2c-7547-44fc-8a41-c819757e47a7", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel."}, {"lang": "es", "value": "El plugin WP Photo Album Plus de WordPress versiones anteriores a 8.0.10, era vulnerable a un ataque de tipo Cross-Site Scripting (XSS) Almacenado. El contenido del registro de errores era manejado inapropiadamente, por lo que cualquier usuario, incluso no autenticado, pod\u00eda causar una ejecuci\u00f3n de javascript arbitrario en el panel de administraci\u00f3n"}], "lastModified": "2022-02-19T04:51:53.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wp_photo_album_plus_project:wp_photo_album_plus:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "8C0143B9-0E9E-43BC-881C-14ECEB669F9A", "versionEndExcluding": "8.0.10"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}