CVE-2021-24685 Information

Description

The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings as well as does not sanitise and escape them which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/972ecde8-3d44-4dd9-81e3-643d8737434f

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4