CVE-2021-24272

MEDIUM

fitness_calculators < 1.9.6 - Cross-Site Request Forgery and Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-24272. PoCs published by 0xB9.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in the WordPress Fitness Calculators plugin (v1.9.5), allowing attackers to submit malicious input via a crafted form, leading to stored XSS due to lack of sanitization.

Description

The fitness calculators WordPress plugin before 1.9.6 add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue

Exploits (1)

exploitdb WORKING POC
by 0xB9 · htmlwebappsphp
https://www.exploit-db.com/exploits/50325

This exploit demonstrates a CSRF vulnerability in the WordPress Fitness Calculators plugin (v1.9.5), allowing attackers to submit malicious input via a crafted form, leading to stored XSS due to lack of sanitization.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Fitness Calculators plugin v1.9.5
Auth required
Prerequisites: Victim must be logged into WordPress admin panel · Attacker must trick victim into submitting the form
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/e643040b-1f3b-4c13-8a20-acfd069dcc4f

Scores

CVSS v3 4.3
EPSS 0.0024
EPSS Percentile 48.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE
CWE-352
Status published
Products (1)
codeinitiator/fitness_calculators < 1.9.6
Published May 05, 2021
Tracked Since Feb 18, 2026