CVE-2021-24206— WordPress 跨站脚本漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2021-24206の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget
ソース: NVD (National Vulnerability Database)
脆弱性説明
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.
ソース: NVD (National Vulnerability Database)
CVSS情報
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
WordPress 跨站脚本漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress 插件是WordPress开源的一个应用插件。 Elementor Website Builder WordPress plugin before 3.1.4 存在跨站脚本漏洞,该漏洞源于图像框小部件(包括小部件image-box.php)的标题大小参数。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| Unknown | Elementor Website Builder | 3.1.4 ~ 3.1.4 | - |
II. CVE-2021-24206の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2021-24206のインテリジェンス情報
请登录查看更多情报信息。
- https://wpscan.com/vulnerability/2f66efd9-7d55-4f33-9109-3cb583a0c309x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2021-24206
Same Patch Batch · Unknown · 2021-04-05 · 45 CVEs total
| CVE-2021-24164 | Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure | |
| CVE-2021-24167 | Web-Stat < 1.4.1 - API Key Disclosure | |
| CVE-2021-24166 | Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection | |
| CVE-2021-24150 | Like Button Rating < 2.6.32 - Unauthenticated Full-Read SSRF | |
| CVE-2021-24154 | Theme Editor < 2.6 - Authenticated Arbitrary File Download | |
| CVE-2021-24155 | Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload | |
| CVE-2021-24156 | Testimonial Rotator <= 3.0.3 - Authenticated Stored Cross-Site Scripting | |
| CVE-2021-24157 | Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting | |
| CVE-2021-24158 | Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation | |
| CVE-2021-24153 | Yoast SEO < 3.4.1 - Authenticated Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24165 | Ninja Forms < 3.4.34 - Administrator Open Redirect | |
| CVE-2021-24163 | Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disc | |
| CVE-2021-24159 | Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting | |
| CVE-2021-24176 | JH 404 Logger <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24175 | The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass | |
| CVE-2021-24174 | Database Backups <= 1.2.2.6 - CSRF to Backup Download | |
| CVE-2021-24173 | VM Backups <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24172 | VM Backups <= 1.0 - CSRF to Database Backup Download | |
| CVE-2021-24171 | WooCommerce Upload Files < 59.4 - Unauthenticated Arbitrary File Upload | |
| CVE-2021-24170 | User Profile Picture < 2.5.0 - Sensitive Information Disclosure |
Showing 20 of 45 CVEs. View all on vendor page →
IV. 関連脆弱性
- CVE-2026-32445
WordPress Elementor Website Builder plugin <= 3.35.5 - Broke - CVE-2026-32352
WordPress Elementor Website Builder plugin <= 3.35.5 - Cross - CVE-2024-50555
WordPress Elementor Website Builder plugin <= 3.29.0 - Cross - CVE-2025-67588
WordPress Elementor Website Builder plugin <= 3.33.0 - Broke - CVE-2024-54444
WordPress Elementor plugin <= 3.25.10 - Cross Site Scripting
同じベンダー: Unknown
- CVE-2026-6433
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection t - CVE-2026-4935
SureTriggers < 1.1.23 – Unauthenticated SQLi - CVE-2026-5335
Magic Export & Import < 1.2.0 - Unauthenticated PII Disclosu - CVE-2026-5337
Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary - CVE-2026-5306
Check & Log Email < 2.0.13 - Unauthenticated Stored XSS
同じ弱点: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. CVE-2021-24206へのコメント
まだコメントはありません