CVE-2021-24176

MEDIUM NUCLEI

JH 404 Logger < 1.1 - Stored Cross-Site Scripting via Unsanitized Referer and Path

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-24176 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.

Nuclei Templates (1)

WordPress JH 404 Logger <=1.1 - Cross-Site Scripting
MEDIUMby Ganofins

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585
Exploit, Third Party Advisory x_refsource_misc
https://ganofins.com/blog/my-first-cve-2021-24176/

Scores

CVSS v3 5.4
EPSS 0.0204
EPSS Percentile 78.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
jh_404_logger_project/jh_404_logger < 1.1
Published Apr 05, 2021
Tracked Since Feb 18, 2026