CVE-2021-24618

CVE-2021-24618: Donate With QRCode < 1.4.5 - Stored Cross-Site Scripting

Vendor Unknown
Product Donate With QRCode
Weakness CWE-79 · XSS
Published September 20, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.

Key dates

02Disclosure timeline

September 20, 2021 CVE published
August 3, 2024 Record updated