Vulnerability Details CVE-2021-24234
The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 49.8%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- https://wpscan.com/vulnerability/ecc620be-8e29-4860-9d32-86b5814a3835
- https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-in-ivory-search-wp-plugin/
- https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-ivory-search-plugin/
- https://wpscan.com/vulnerability/ecc620be-8e29-4860-9d32-86b5814a3835
- https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-in-ivory-search-wp-plugin/
- https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-ivory-search-plugin/
Products affected by CVE-2021-24234
-
cpe:2.3:a:ivorysearch:ivory_search:-
-
cpe:2.3:a:ivorysearch:ivory_search:4.5.10
-
cpe:2.3:a:ivorysearch:ivory_search:4.5.11
-
cpe:2.3:a:ivorysearch:ivory_search:4.5.5
-
cpe:2.3:a:ivorysearch:ivory_search:4.5.6
-
cpe:2.3:a:ivorysearch:ivory_search:4.5.7
-
cpe:2.3:a:ivorysearch:ivory_search:4.5.8
-
cpe:2.3:a:ivorysearch:ivory_search:4.5.9
-
cpe:2.3:a:ivorysearch:ivory_search:4.6