CVE-2021-24936
HIGHWP Extra File Types < 0.5.1 - Cross-Site Request Forgery and Stored Cross-Site Scripting
Title source: llmDescription
The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/4fb61b84-ff5f-4b4c-a516-54b749f9611e
Scores
CVSS v3
8.0
EPSS
0.0054
EPSS Percentile
41.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
wp_extra_file_types_project/wp_extra_file_types
< 0.5.1
Published
Jan 24, 2022
Tracked Since
Feb 18, 2026