CVE-2021-24974

CVE-2021-24974: Product Feed PRO for WooCommerce < 11.0.7 - Subscriber+ Settings Update to Stored XSS

Vendor Unknown

Product Product Feed PRO for WooCommerce

Weakness CWE-79 · XSS

Published January 24, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping.

Key dates

02Disclosure timeline

January 24, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24974

Related vulnerabilities

04Related CVE

CVE-2026-29175 Multiple Stored XSS in Commerce Inventory Page Leading to Session Hijacking CVE-2024-51870 WordPress Ultimate Flipbox Addon for Elementor plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability CVE-2024-3603 OSM – OpenStreetMap <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2025-11278 AllStarLink Supermon AllMon2 cross site scripting CVE-2024-11225 Premium Packages – Sell Digital Products Securely <= 5.9.3 - Reflected Cross-Site Scripting via add_query_arg