CVE-2021-36899 Reflected XSS vulnerability in the Asset CleanUp: Page Speed Booster plugin = 1.3.8.4 at WordPress.
The vulnerability allows an attacker to inject malicious code into the website's database by manipulating vulnerable input fields. This can lead to data leakage, session hijacking, or redirecting users to inappropriate locations. An attacker can exploit this vulnerability to execute malicious code on the website.
An attacker must convince users to visit a malicious website, e.g. a phishing site or a compromised WordPress site. The attacker must convince users to install a malicious plugin.
An attacker must compromise a site with this vulnerability.
An attacker must have access to a site with this vulnerability.
An attacker must have a user visit a malicious website. Exploitation of the vulnerability requires that a user is logged in to the website.
Impact of the vulnerability An attacker can exploit this vulnerability to inject malicious code into the website's database.
An attacker can exploit this vulnerability to perform session hijacking or redirect users to an inappropriate location.
An attacker can exploit this vulnerability to steal data, such as user login data.
MITRE rating This XSS vulnerability is rated as a Critical severity due to the fact that user session data can be stolen, and that a malicious plugin can be installed without user interaction.
Patch information XSS vulnerabilities cannot be patched. Users can mitigate these vulnerabilities by: Not installing untrusted plug-ins.
Ensuring that user input is validated.
References !---
- https://www.thehackernews.com/2018/10/what-is-a-csrf-cross-site-request-forgery
How to outsource SEO correctly & avoid the 5 most common mistakes
Vulnerable code:
Timeline
Published on: 10/11/2022 18:15:00 UTC
Last modified on: 10/11/2022 20:23:00 UTC
References
- https://wordpress.org/plugins/wp-asset-clean-up/#developers
- https://patchstack.com/database/vulnerability/wp-asset-clean-up/wordpress-asset-cleanup-page-speed-booster-plugin-1-3-8-4-authenticated-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36899