Common Vulnerabilities and Exposures

CVE Vulnerability Data CVE-2021-24177

CVE-2021-24177

Summary

In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response.

References

Vulnerable Configurations

  • cpe:2.3:a:webdesi9:file_manager:1.1:*:*:*:*:wordpress:*:*
  • cpe:2.3:a:webdesi9:file_manager:1.2:*:*:*:*:wordpress:*:*

Reflected XSS

his type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is “reflected” off a vulnerable web application and then executed by a victim’s browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.

The most common method of this is through a phishing email where the adversary embeds the malicious script with a URL that the victim then clicks on. In processing the subsequent request, the vulnerable web application incorrectly considers the malicious script as valid input and uses it to creates a response that is then sent back to the victim.

Access

Vector Complexity Authentication
NETWORK MEDIUM SINGLE

Impact

Confidentiality Integrity Availability
NONE PARTIAL NONE
Related Articles