CVE-2021-24922

CRITICAL

Pixel Cat WordPress Plugin < 2.6.2 - Cross-Site Request Forgery and Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Description

The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/399ffd65-f3c0-4fbe-a83a-2a620976aad2

Scores

CVSS v3 9.0
EPSS 0.0053
EPSS Percentile 41.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
fatcatapps/pixel_cat < 2.6.2
Published Dec 13, 2021
Tracked Since Feb 18, 2026