CVE-2021-24129

CVE-2021-24129: Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting

Vendor Unknown

Product Themify Portfolio Post

Weakness CWE-79 · XSS

Published March 18, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.

Key dates

02Disclosure timeline

March 18, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24129 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-12189 WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2023-45683 Cross site scripting via missing binding syntax validation In ACS location in github.com/crewjam/saml CVE-2026-6216 DbGate SVG Icon String FontIcon.svelte cross site scripting CVE-2022-38379 CVE-2025-60183 WordPress Silencesoft RSS Reader Plugin <= 0.6 - Cross Site Scripting (XSS) Vulnerability