ImageBoss < 3.0.6 – Admin+ Stored Cross-Site Scripting | CVE 2021-24888

Affects Plugins

imageboss

Fixed in 3.0.6

References

CVE

CVE-2021-24888

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Chevon Phillip

Verified

Yes

WPVDB ID

19bffa71-705c-42fc-b2ca-bf62fabb70a0

Timeline

Publicly Published

2020-05-11 (about 5 years ago)

Added

2021-10-20 (about 4 years ago)

Last Updated

2022-04-14 (about 3 years ago)

Other

Published

Title

Published

2022-11-16

Title

Donation Button <= 4.0.0 - Contributor+ Stored XSS

Published

2025-06-12

Title

Color Palette <= 4.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via hex Parameter

Published

2024-11-04

Title

Conversion Helper <= 1.12 - Reflected Cross-Site Scripting

Published

2023-08-18

Title

Stock Sync for WooCommerce < 2.4.1 - Reflected XSS

Published

2025-03-27

Title

Comment Approved Notifier Extended < 5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting