Business Manager < 1.4.6 – Admin+ Stored Cross-Site Scripting | CVE 2021-39332 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

business-manager

Fixed in 1.4.6

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39332

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thinkland Security Team

Verified

No

WPVDB ID

26ddb520-63de-4cb3-af20-2d359962005d

Timeline

Publicly Published

2021-10-14 (about 4 years ago)

Added

2021-10-15 (about 4 years ago)

Last Updated

2023-10-25 (about 2 years ago)

Other

Published

Title

Published

2024-11-13

Title

Drozd – Addons for Elementor <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-12-17

Title

Easy Waveform Player < 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-01-20

Title

wpCAS <= 1.07 - Reflected Cross-Site Scripting

Published

2023-12-18

Title

Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS

Published

2022-03-28

Title

Autolinks <= 1.0.1 - Stored Cross-Site Scripting via CSRF