CVE-2021-33851
MEDIUM NUCLEICustomize Login Image - Stored Cross-Site Scripting via Custom Logo Link
Title source: llmExploitation Summary
CVE-2021-33851 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
Nuclei Templates (1)
WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
MEDIUMVERIFIEDby 8authur
References (1)
Core 1
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_misc
https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
Scores
CVSS v3
5.4
EPSS
0.0132
EPSS Percentile
67.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
apasionados/customize_login_image
3.4
Published
Mar 10, 2022
Tracked Since
Feb 18, 2026