CVE-2021-39322
MEDIUM NUCLEIEasy Social Icons <= 3.0.8 - Reflected Cross-Site Scripting via PHP_SELF
Title source: llmExploitation Summary
CVE-2021-39322 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
Nuclei Templates (1)
WordPress Easy Social Icons Plugin < 3.0.9 - Cross-Site Scripting
MEDIUMby dhiyaneshDK
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58
Third Party Advisory x_refsource_misc
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322
Scores
CVSS v3
6.1
EPSS
0.0223
EPSS Percentile
80.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
cybernetikz/easy_social_icons
< 3.0.9
Published
Sep 02, 2021
Tracked Since
Feb 18, 2026