CVE-2021-24958

CVE-2021-24958: Meks Easy Photo Feed Widget < 1.2.4 - Subscriber+ Settings Update to Stored XSS

Vendor Unknown
Product Meks Easy Photo Feed Widget
Weakness CWE-79 · XSS
Published March 14, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them

Key dates

02Disclosure timeline

March 14, 2022 CVE published
August 3, 2024 Record updated