vendor:
Mortgage Calculators WP
by:
Ceylan Bozogullarindan
4.8
CVSS
MEDIUM
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: Mortgage Calculators WP
Affected Version From: 1.52
Affected Version To: 1.52
Patch Exists: YES
Related CWE: CVE-2021-24904
CPE: 2.3:a:lenderd:mortgage_calculators_wp:1.52
Platforms Tested: Linux
2021
WordPress Plugin Mortgage Calculators WP 1.52 – Stored Cross-Site Scripting (XSS) (Authenticated)
The plugin gives users real-time estimates by providing mortgage calculators. It does not implement any sanitisation on the color value of the background of a calculator in admin panel, which could lead to authenticated Stored Cross-Site Scripting issues. An attacker can execute malicious javascript codes for all visitors of a page containing the calculator.
Mitigation:
Ensure that user input is properly sanitized and validated before being used in the application.