CVE-2021-24936

HIGH

WP Extra File Types < 0.5.1 - Cross-Site Request Forgery and Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Description

The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/4fb61b84-ff5f-4b4c-a516-54b749f9611e

Scores

CVSS v3 8.0
EPSS 0.0054
EPSS Percentile 41.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
wp_extra_file_types_project/wp_extra_file_types < 0.5.1
Published Jan 24, 2022
Tracked Since Feb 18, 2026