CVE-2021-24901

MEDIUM

Security Audit WordPress Plugin < 1.0.0 - Authenticated Stored Cross-Site Scripting via Data Id Setting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-24901. PoCs published by Shweta Mahajan.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in the WordPress plugin Titan-labs-security-audit version 1.0.0. The exploit involves injecting a malicious JavaScript payload into the 'Data Id' field, which gets stored and executed when triggered.

Description

The Security Audit WordPress plugin through 1.0.0 does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Exploits (1)

exploitdb WRITEUP

by Shweta Mahajan · textwebappsphp

https://www.exploit-db.com/exploits/50723

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in the WordPress plugin Titan-labs-security-audit version 1.0.0. The exploit involves injecting a malicious JavaScript payload into the 'Data Id' field, which gets stored and executed when triggered.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Titan-labs-security-audit 1.0.0

Auth required

Prerequisites: WordPress installation · Titan-labs-security-audit plugin version 1.0.0 installed and activated · Access to Security Audit settings

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/9c315404-b66a-448c-a3b7-367a37b53435

Scores

CVSS v3 4.8

EPSS 0.0509

EPSS Percentile 91.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

securemoz/security_audit < 1.0.0

Published Feb 28, 2022

Tracked Since Feb 18, 2026