CVE-2021-24444

MEDIUM

TaxoPress < 3.0.7.2 - Authenticated Stored Cross-Site Scripting in Taxonomy Description Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-24444. PoCs published by Akash Patil.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in WordPress Plugin TaxoPress 3.0.7.1. It provides steps to reproduce the vulnerability by injecting a JavaScript payload into the 'Table Name & Descriptions' field, which gets stored in the database and executed when triggered.

Description

The TaxoPress – Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue.

Exploits (1)

exploitdb WRITEUP
by Akash Patil · textwebappsphp
https://www.exploit-db.com/exploits/50442

This is a writeup describing a stored XSS vulnerability in WordPress Plugin TaxoPress 3.0.7.1. It provides steps to reproduce the vulnerability by injecting a JavaScript payload into the 'Table Name & Descriptions' field, which gets stored in the database and executed when triggered.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin TaxoPress 3.0.7.1
Auth required
Prerequisites: WordPress installation · TaxoPress plugin version 3.0.7.1 installed and activated · Authenticated user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 4.8
EPSS 0.0232
EPSS Percentile 81.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
taxopress/taxopress < 3.0.7.2
Published Aug 02, 2021
Tracked Since Feb 18, 2026