CVE-2021-24452
MEDIUM NUCLEIW3 Total Cache < 2.1.5 - Reflected Cross-Site Scripting via Extension Parameter
Title source: llmExploitation Summary
CVE-2021-24452 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
Nuclei Templates (1)
WordPress W3 Total Cache <2.1.5 - Cross-Site Scripting
MEDIUMVERIFIEDby theamanrawat
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0
Scores
CVSS v3
6.1
EPSS
0.0200
EPSS Percentile
78.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
boldgrid/w3_total_cache
< 2.1.5
Published
Jul 19, 2021
Tracked Since
Feb 18, 2026