CVE-2021-24545

MEDIUM LAB

WP HTML Author Bio < 1.2.0 - Authenticated Stored Cross-Site Scripting via User Bio

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-24545. PoCs published by V35HR4J, dnr6419.

AI-analyzed exploit summary The repository provides a functional proof-of-concept for a stored XSS vulnerability in WP HTML Author Bio plugin <= 1.2.0. The exploit involves injecting malicious JavaScript into the Biographical Info field, which executes when a post by the author is viewed.

Description

The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.

Exploits (2)

nomisec WORKING POC 2 stars
by V35HR4J · poc
https://github.com/V35HR4J/CVE-2021-24545

The repository provides a functional proof-of-concept for a stored XSS vulnerability in WP HTML Author Bio plugin <= 1.2.0. The exploit involves injecting malicious JavaScript into the Biographical Info field, which executes when a post by the author is viewed.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WP HTML Author Bio <= 1.2.0
Auth required
Prerequisites: Author-level access to the WordPress site
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by dnr6419 · poc
https://github.com/dnr6419/CVE-2021-24545

This repository contains a functional exploit for CVE-2021-24145, targeting an arbitrary file upload vulnerability in the Modern Events Calendar Lite WordPress plugin (versions before 5.16.5). The PoC includes a Python script that authenticates to WordPress and uploads a malicious PHP shell by bypassing content-type checks.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Modern Events Calendar Lite WordPress plugin < 5.16.5
Auth required
Prerequisites: WordPress admin credentials · Modern Events Calendar Lite plugin installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/64267134-9d8c-4e0c-b24f-d18692a5775e

Scores

CVSS v3 5.4
EPSS 0.0177
EPSS Percentile 75.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:5.7.0-php7.4-apache

Details

CWE
CWE-79
Status published
Products (1)
wp_html_author_bio_project/wp_html_author_bio < 1.2.0
Published Oct 11, 2021
Tracked Since Feb 18, 2026