CVE-2021-24664

MEDIUM

WPSchoolPress < 2.1.17 - Stored Cross-Site Scripting via Insufficient Output Escaping

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-24664. PoCs published by Davide Taraschi.

AI-analyzed exploit summary This exploit demonstrates multiple stored XSS vulnerabilities in WordPress Plugin WPSchoolPress up to version 2.1.16. The PoC leverages improper escaping of user input in various admin pages, allowing arbitrary JavaScript execution when specific payloads are injected into input fields.

Description

The School Management System – WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.

Exploits (1)

exploitdb WORKING POC
by Davide Taraschi · textwebappsphp
https://www.exploit-db.com/exploits/50520

This exploit demonstrates multiple stored XSS vulnerabilities in WordPress Plugin WPSchoolPress up to version 2.1.16. The PoC leverages improper escaping of user input in various admin pages, allowing arbitrary JavaScript execution when specific payloads are injected into input fields.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin WPSchoolPress <= 2.1.16
Auth required
Prerequisites: Admin or teacher privileges in WordPress · WPSchoolPress plugin version <= 2.1.16 installed
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/3f8e170c-6579-4b1a-a1ac-7d93da17b669

Scores

CVSS v3 4.8
EPSS 0.0236
EPSS Percentile 81.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
igexsolutions/wpschoolpress < 2.1.17
Published Nov 08, 2021
Tracked Since Feb 18, 2026