CVE-2021-24797
MEDIUM WAF: High
CVSS 6.1
Published: 2021-12-27
CWE-79
The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
WAF Coverage Analysis
Cross-Site Scripting (XSS)
High WAF Coverage
OWASP: A03:2021 Injection
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tickera | tickera | up to 3.4.8.3 |
References
- wpscan.com (Exploit, Third Party Advisory)