Vulnerability Details CVE-2021-25117
The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 35.6%
CVSS Severity
CVSS v3 Score 4.8
References
Products affected by CVE-2021-25117
-
cpe:2.3:a:lesterchan:wp-postratings:-
-
cpe:2.3:a:lesterchan:wp-postratings:1.65
-
cpe:2.3:a:lesterchan:wp-postratings:1.73
-
cpe:2.3:a:lesterchan:wp-postratings:1.74
-
cpe:2.3:a:lesterchan:wp-postratings:1.75
-
cpe:2.3:a:lesterchan:wp-postratings:1.76
-
cpe:2.3:a:lesterchan:wp-postratings:1.77
-
cpe:2.3:a:lesterchan:wp-postratings:1.78
-
cpe:2.3:a:lesterchan:wp-postratings:1.79
-
cpe:2.3:a:lesterchan:wp-postratings:1.80
-
cpe:2.3:a:lesterchan:wp-postratings:1.81
-
cpe:2.3:a:lesterchan:wp-postratings:1.82
-
cpe:2.3:a:lesterchan:wp-postratings:1.83
-
cpe:2.3:a:lesterchan:wp-postratings:1.83.1
-
cpe:2.3:a:lesterchan:wp-postratings:1.83.2
-
cpe:2.3:a:lesterchan:wp-postratings:1.84
-
cpe:2.3:a:lesterchan:wp-postratings:1.84.1
-
cpe:2.3:a:lesterchan:wp-postratings:1.85
-
cpe:2.3:a:lesterchan:wp-postratings:1.86