CVE-2021-38359 MEDIUM

CVE-2021-38359: WordPress InviteBox Plugin <= 1.4.1 Reflected Cross-Site Scripting

Vendor Wordpress Invitebox Plugin
Product WordPress InviteBox Plugin
Weakness CWE-79 · XSS
Published September 10, 2021
Last update May 2, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The WordPress InviteBox Plugin for viral Refer-a-Friend Promotions WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the message parameter found in the ~/admin/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.1.

Key dates

02Disclosure timeline

September 10, 2021 CVE published
May 2, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-47077 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2023-29029 Rockwell Automation ArmorStart ST Vulnerable to Cross-Site Scripting Attack CVE-2024-23862 Cross-Site Scripting (XSS) vulnerability in Cups Easy CVE-2024-37549 WordPress Save as PDF plugin by Pdfcrowd plugin <= 4.0.0 - Cross Site Scripting (XSS) vulnerability CVE-2026-32493 WordPress JobSearch plugin <= 3.2.0 - Reflected Cross Site Scripting (XSS) vulnerability