CVE-2021-24556

CVE-2021-24556: Email Subscriber <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

Vendor Unknown

Product Email Subscriber

Weakness CWE-79 · XSS

Published August 23, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputting them back in the Subscriber list (/wp-admin/edit.php?post_type=kes_campaign&page=kento_email_subscriber_list_settings), leading a Stored XSS issue.

Key dates

02Disclosure timeline

August 23, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24556 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-2144 Ultimate Addons for Beaver Builder – Lite <= 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget CVE-2025-68836 WordPress Table of Contents Creator plugin <= 1.6.4.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-25599 Missing authentication and clear‑text data transmission affecting Orca heat pumps CVE-2023-47656 WordPress ANAC XML Bandi di Gara Plugin <= 7.5 is vulnerable to Cross Site Scripting (XSS) CVE-2023-23998 WordPress VikRentCar Plugin <= 1.3.0 is vulnerable to Cross Site Scripting (XSS)