CVE-2021-24611 Information

Description

The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved allowing for Cross-Site Scripting issues. Furthermore it is also lacking any CSRF check allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/b4a2e595-6971-4a2a-a346-ac4445a5e0cd

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4