CVE-2021-25060

CVE-2021-25060: Five Star Business Profile and Schema < 2.1.7 - Subscriber+ Page Creation & Settings Update to Stored XSS

Vendor Unknown
Product Five Star Business Profile and Schema
Weakness CWE-79 · XSS
Published February 21, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Five Star Business Profile and Schema WordPress plugin before 2.1.7 does not have any authorisation and CSRF in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting issues

Key dates

02Disclosure timeline

February 21, 2022 CVE published
August 3, 2024 Record updated