CVE-2021-24452 Information

Description

The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the xtension\ parameter in the Extensions dashboard when the ‘Anonymously track usage to improve product quality’ setting is enabled as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker who can convince an authenticated admin into clicking a link to run malicious JavaScript within the user’s web browser which could lead to full site compromise.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1