CVE-2021-24444

MEDIUM

Taxopress < 3.0.7.2 - XSS

Title source: rule

Description

The TaxoPress – Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue.

Exploits (1)

exploitdb WRITEUP

by Akash Patil · textwebappsphp

https://www.exploit-db.com/exploits/50442

View Code ZIP pw:eip

References (2)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/164604/WordPress-TaxoPress-3.0.7.1-Cross-Site-Scripting.html

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/a31321fe-adc6-4480-a220-35aedca52b8b

Scores

CVSS v3 4.8

EPSS 0.0157

EPSS Percentile 81.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

taxopress/taxopress < 3.0.7.2

Published Aug 02, 2021

Tracked Since Feb 18, 2026