CVE-2021-33351

CRITICAL

Wyomind Help Desk Magento 2 <1.3.7 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-33351. PoCs published by Patrik Lantz.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Wyomind Help Desk for Magento 2, which can be leveraged to enable file uploads with dangerous extensions (e.g., 'phar') and directory traversal to achieve remote code execution (RCE). The PoC includes a detailed payload to modify backend configurations via XSS.

Description

Cross Site Scripting Vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before and fixed in v.1.3.7 allows attackers to escalte privileges via a crafted payload in the ticket message field.

Exploits (1)

exploitdb WORKING POC
by Patrik Lantz · textwebappsmultiple
https://www.exploit-db.com/exploits/50113

This exploit demonstrates a stored XSS vulnerability in Wyomind Help Desk for Magento 2, which can be leveraged to enable file uploads with dangerous extensions (e.g., 'phar') and directory traversal to achieve remote code execution (RCE). The PoC includes a detailed payload to modify backend configurations via XSS.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wyomind Help Desk for Magento 2 <= 1.3.6
No auth needed
Prerequisites: Access to the frontend ticket submission form · Administrator interaction to trigger the XSS payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/50113

Scores

CVSS v3 9.0
EPSS 0.0103
EPSS Percentile 59.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
wyomind/help_desk < 1.3.7
Published Mar 08, 2023
Tracked Since Feb 18, 2026