CVE-2021-25117 Information

Description

The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators and protected against CSRF attacks the issue is still exploitable when the unfiltered_html capability is disabled.

Reference

https://wpscan.com/vulnerability/d2d9a789-edae-4ae1-92af-e6132db7efcd/