CVE-2021-24408

CVE-2021-24408: Prismatic < 2.8 - Contributor+ Stored XSS

Vendor Jeff Starr
Product Prismatic
Weakness CWE-79 · XSS
Published July 12, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

Key dates

02Disclosure timeline

July 12, 2021 CVE published
August 3, 2024 Record updated