CVE-2021-24503

CVE-2021-24503: Popular Brand SVG Icons - Simple Icons < 2.7.8 - Contributor+ Stored XSS

Vendor Unknown

Product Popular Brand Icons – Simple Icons

Weakness CWE-79 · XSS

Published August 2, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Popular Brand Icons – Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

Key dates

02Disclosure timeline

August 2, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24503

Related vulnerabilities

04Related CVE

CVE-2025-2364 lenve VBlog ArticleService.java addNewArticle cross site scripting CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload CVE-2021-42703 AzeoTech DAQFactory CVE-2024-5879 HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics <= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget CVE-2023-25793 WordPress Link Juice Keeper Plugin <= 2.0.2 is vulnerable to Cross Site Scripting (XSS)