Asgaros Forums < 1.15.14 – Admin+ Stored Cross-Site Scripting | CVE 2021-42365 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Fixed in 1.15.14

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42365

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mohammed Aadhil Ashfaq

Verified

Yes

WPVDB ID

70b5fd89-4b59-4cbb-b60f-ac54fbb5a3e3

Timeline

Publicly Published

2021-11-29 (about 4 years ago)

Added

2021-11-29 (about 4 years ago)

Last Updated

2022-04-11 (about 4 years ago)

Other

Published

Title

Published

2024-12-11

Title

Library Bookshelves < 5.9 - Reflected Cross-Site Scripting

Published

2025-05-30

Title

FastSpring <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-24

Title

Inquiry Cart <= 3.4.2 - Stored XSS via CSRF

Published

2023-12-26

Title

Advanced Access Manager < 6.9.16 - Contributor+ Stored XSS

Published

2014-08-01

Title

haiku-minimalist-audio-player <= 1.1.0 - jPlayer.swf XSS