CVE-2021-24243

Summary

An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages.

Affected Software

VendorProductVersion RangeStatus
bitorbitWPBakery Page Builder (Visual Composer) Clipboard4.5.0 < 4.5.0*affected
bitorbitWPBakery Page Builder (Visual Composer) Clipboard4.5.6 < 4.5.6affected

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

References