CVE-2021-24822 Information

Description

The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users) which could allow any authenticated users such as subscriber to call them and perform Stored Cross-Site Scripting attacks against logged in admin as well as frontend users due to the lack of sanitisation and escaping in some parameters

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/db84a782-d4c8-4abf-99ea-ea672a9b806e

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4