CVE-2021-24365

CVE-2021-24365: Admin Columns Free (< 4.3.2) & Pro (< 5.5.2) - Authenticated Stored Cross-Site Scripting (XSS) in Custom Field

Vendor Admincolumns

Product Admin Columns

Weakness CWE-79 · XSS

Published July 12, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns.

Key dates

02Disclosure timeline

July 12, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24365 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-23497 Frappe LMS has a Stored XSS via Unsanitized Image Filename in Course and Jobs Pages CVE-2024-5427 WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce <= 2.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Reservation Form Shortcode CVE-2025-13802 jairiidriss RestaurantWebsite Make a Reservation cross site scripting CVE-2025-47449 WordPress Meow Gallery plugin <= 5.2.7 - Cross Site Scripting (XSS) Vulnerability CVE-2021-24286 Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)

Identifiers

CVE CVE-2021-24365

CWE CWE-79

Affected versions

Vendor Admincolumns

Product Admin Columns

Affected ≥ 4.3.2 and < 4.3.2

Vendor Admincolumns

Product Admin Columns Pro

Affected ≥ 5.5.2 and < 5.5.2