Vulnerability Details CVE-2021-24792
The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.121
EPSS Ranking 93.6%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
Products affected by CVE-2021-24792
-
cpe:2.3:a:wpeden:shiny_buttons:-
-
cpe:2.3:a:wpeden:shiny_buttons:1.1.0