| CVE | CVE-2021-24388 |
|---|---|
| CVSS | Medium (6.1) |
| Publicly Published | June 14, 2021 |
| Last Updated | January 22, 2024 |
| Researcher |
Satyender Yadav
|
In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom field option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.
References| Software Type | Plugin |
|---|---|
| Software Slug | vikrentcar (view on wordpress.org) |
| Patched? | Yes |
| Affected Version |
|
| Patched Version |
|
Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy.
License Detail.