CVE-2021-24366

MEDIUM

Admin Columns < 4.3 and Admin Columns Pro < 5.5.1 - Authenticated Stored Cross-Site Scripting via Label Settings

Title source: llm
STIX 2.1

Description

The Admin Columns WordPress plugin before 4.3 and Admin Columns Pro WordPress plugin before 5.5.1 do not sanitise and escape its Label settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Scores

CVSS v3 5.4
EPSS 0.0100
EPSS Percentile 58.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

Status published
Products (2)
admincolumns/admin_columns < 4.3
admincolumns/admin_columns < 5.5.1
Published Jun 21, 2021
Tracked Since Feb 18, 2026