CVE-2021-33851

MEDIUM NUCLEI

Apasionados Customize Login Image - XSS

Title source: rule

Description

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.

Nuclei Templates (1)

WordPress Customize Login Image <3.5.3 - Cross-Site Scripting

MEDIUMVERIFIEDby 8authur

References (1)

[Exploit, Mitigation, Third Party Advisory] https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html

Scores

CVSS v3 5.4

EPSS 0.0746

EPSS Percentile 91.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

apasionados/customize_login_image 3.4

Published Mar 10, 2022

Tracked Since Feb 18, 2026