CVE-2021-24487
HIGHSt-Daily-Tip < 4.7 - Cross-Site Request Forgery and Stored Cross-Site Scripting via Default Text Setting
Title source: llmDescription
The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/def352f8-1bbe-4263-ad1a-1486140269f4
Scores
CVSS v3
8.8
EPSS
0.0062
EPSS Percentile
45.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
CWE-79
Status
published
Products (1)
sanskruti/st-daily-tip
< 4.7
Published
Oct 25, 2021
Tracked Since
Feb 18, 2026