CVE-2021-25983 MEDIUM

CVE-2021-25983: FactorJS - Reflected Cross-Site Scripting (XSS) in Tags and Categories Functionality

Vendor Factorjs
Product Factor
Weakness CWE-79 · XSS
Published November 16, 2021
Last update April 30, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.8 to v1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “tags” and “category” parameters in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.

Key dates

02Disclosure timeline

November 16, 2021 CVE published
April 30, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-1496 Featured Image from URL (FIFU) <= 4.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url CVE-2025-7056 Stored XSS in UrlShortener CVE-2026-6218 aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting CVE-2021-24247 Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS) CVE-2021-24229 Patreon WordPress < 1.7.2 - Reflected XSS on patreon_save_attachment_patreon_level AJAX action