CVE-2021-24992

CVE-2021-24992: Buttonizer - Smart Floating Action Button < 2.5.5 - Admin+ Stored Cross-Site Scripting

Vendor Unknown

Product Smart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – Buttonizer

Weakness CWE-79 · XSS

Published December 27, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Smart Floating / Sticky Buttons WordPress plugin before 2.5.5 does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Key dates

02Disclosure timeline

December 27, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24992 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-41044 Stored Cross-Site Scripting vulnerability in appRain CMF CVE-2025-3302 Xagio SEO <= 7.1.0.16 - Unauthenticated Stored Cross-Site Scripting via 'HTTP_REFERER' CVE-2023-48615 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2022-0388 Interactive Medical Drawing of Human Body < 2.6 - Admin+ Stored XSS CVE-2025-53280 WordPress Football Pool plugin <= 2.12.5 - Cross Site Scripting (XSS) Vulnerability