Search criteria
6 vulnerabilities found for mystickymenu by premio
FKIE_CVE-2023-5509
Vulnerability from fkie_nvd - Published: 2023-11-20 19:15 - Updated: 2024-11-21 08:41
Severity ?
Summary
The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d | Exploit, Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d | Exploit, Product, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| premio | mystickymenu | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:premio:mystickymenu:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "98A5DA0E-0DE2-438A-8830-6A1D792CC409",
"versionEndExcluding": "2.6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions."
},
{
"lang": "es",
"value": "El complemento myStickymenu de WordPress anterior a 2.6.5 no autoriza adecuadamente algunas llamadas ajax, lo que permite que cualquier usuario que haya iniciado sesi\u00f3n realice las acciones."
}
],
"id": "CVE-2023-5509",
"lastModified": "2024-11-21T08:41:54.760",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-20T19:15:09.813",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Product",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Product",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-24425
Vulnerability from fkie_nvd - Published: 2021-08-02 11:15 - Updated: 2024-11-21 05:53
Severity ?
Summary
The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| premio | mystickymenu | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:premio:mystickymenu:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "A1E3B4BD-64BE-4CA3-A214-613784F456FC",
"versionEndExcluding": "2.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin\u0027s setting, as well as all front-page of the blog (when the Welcome bar is active)"
},
{
"lang": "es",
"value": "Los plugins Floating Notification Bar, Sticky Menu on Scroll, y Sticky Header for Any Theme \u00e2\u20ac\u201c myStickymenu de WordPress versiones anteriores a 2.5.2, no sanea o escapa de la configuraci\u00f3n de su Barra de Texto, permitiendo a usuarios con altos privilegios usar JavaScript malicioso en ella, conllevando a un problema de tipo Cross-Site Scripting Almacenado, que ser\u00e1 desencadenado en la configuraci\u00f3n del plugin, as\u00ed como en toda la p\u00e1gina principal del blog (cuando la Barra de Bienvenida est\u00e1 activa)"
}
],
"id": "CVE-2021-24425",
"lastModified": "2024-11-21T05:53:02.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-02T11:15:08.750",
"references": [
{
"source": "contact@wpscan.com",
"url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"
},
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
CVE-2023-5509 (GCVE-0-2023-5509)
Vulnerability from cvelistv5 – Published: 2023-11-20 18:55 – Updated: 2024-08-02 07:59
VLAI?
Title
myStickymenu < 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion
Summary
The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme |
Affected:
0 , < 2.6.5
(semver)
|
Credits
Krzysztof Zając
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T18:55:10.363Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "myStickymenu \u003c 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-5509",
"datePublished": "2023-11-20T18:55:10.363Z",
"dateReserved": "2023-10-10T23:27:19.261Z",
"dateUpdated": "2024-08-02T07:59:44.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24425 (GCVE-0-2021-24425)
Vulnerability from cvelistv5 – Published: 2021-08-02 10:31 – Updated: 2024-08-03 19:28
VLAI?
Title
myStickymenu < 2.5.2 - Authenticated Stored XSS
Summary
The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu |
Affected:
2.5.2 , < 2.5.2
(custom)
|
Credits
m0ze
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.5.2",
"status": "affected",
"version": "2.5.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin\u0027s setting, as well as all front-page of the blog (when the Welcome bar is active)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-02T10:31:54",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "myStickymenu \u003c 2.5.2 - Authenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24425",
"STATE": "PUBLIC",
"TITLE": "myStickymenu \u003c 2.5.2 - Authenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.5.2",
"version_value": "2.5.2"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin\u0027s setting, as well as all front-page of the blog (when the Welcome bar is active)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"
},
{
"name": "https://m0ze.ru/vulnerability/[2021-05-21]-[WordPress]-[CWE-79]-MyStickymenu-WordPress-Plugin-v2.5.1.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-05-21]-[WordPress]-[CWE-79]-MyStickymenu-WordPress-Plugin-v2.5.1.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24425",
"datePublished": "2021-08-02T10:31:54",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5509 (GCVE-0-2023-5509)
Vulnerability from nvd – Published: 2023-11-20 18:55 – Updated: 2024-08-02 07:59
VLAI?
Title
myStickymenu < 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion
Summary
The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme |
Affected:
0 , < 2.6.5
(semver)
|
Credits
Krzysztof Zając
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T18:55:10.363Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "myStickymenu \u003c 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-5509",
"datePublished": "2023-11-20T18:55:10.363Z",
"dateReserved": "2023-10-10T23:27:19.261Z",
"dateUpdated": "2024-08-02T07:59:44.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24425 (GCVE-0-2021-24425)
Vulnerability from nvd – Published: 2021-08-02 10:31 – Updated: 2024-08-03 19:28
VLAI?
Title
myStickymenu < 2.5.2 - Authenticated Stored XSS
Summary
The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu |
Affected:
2.5.2 , < 2.5.2
(custom)
|
Credits
m0ze
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.5.2",
"status": "affected",
"version": "2.5.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin\u0027s setting, as well as all front-page of the blog (when the Welcome bar is active)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-02T10:31:54",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-05-21%5D-%5BWordPress%5D-%5BCWE-79%5D-MyStickymenu-WordPress-Plugin-v2.5.1.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "myStickymenu \u003c 2.5.2 - Authenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24425",
"STATE": "PUBLIC",
"TITLE": "myStickymenu \u003c 2.5.2 - Authenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.5.2",
"version_value": "2.5.2"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme \u2013 myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin\u0027s setting, as well as all front-page of the blog (when the Welcome bar is active)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/14632fa8-597e-49ff-8583-9797208a3583"
},
{
"name": "https://m0ze.ru/vulnerability/[2021-05-21]-[WordPress]-[CWE-79]-MyStickymenu-WordPress-Plugin-v2.5.1.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-05-21]-[WordPress]-[CWE-79]-MyStickymenu-WordPress-Plugin-v2.5.1.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24425",
"datePublished": "2021-08-02T10:31:54",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}