CVE-2021-24365 : What You Need to Know

Admin Columns Free (< 4.3.2) & Pro (< 5.5.2) - Authenticated Stored Cross-Site Scripting (XSS) in Custom Field

Understanding CVE-2021-24365

This CVE involves Admin Columns WordPress plugin Free versions before 4.3.2 and Pro versions before 5.5.2, allowing authenticated stored Cross-Site Scripting (XSS) attacks in custom fields.

What is CVE-2021-24365?

The vulnerability in Admin Columns plugin allowed the configuration of individual table columns, with a type called "Custom Field" that lacked proper escaping, enabling malicious scripts to be executed.

The Impact of CVE-2021-24365

Attackers could exploit this vulnerability to insert arbitrary scripts, leading to unauthorized actions or data disclosure when a user views a crafted table containing the malicious code.

Technical Details of CVE-2021-24365

Vulnerability Description

The vulnerability stemmed from the lack of escaping applied to the contents of "Custom Field" columns, making it susceptible to Cross-Site Scripting (XSS) attacks.

Affected Systems and Versions

Admin Columns Free versions prior to 4.3.2
Admin Columns Pro versions prior to 5.5.2

Exploitation Mechanism

By crafting a malicious table using the Custom Field feature, threat actors could inject and execute arbitrary scripts within the WordPress admin interface.

Mitigation and Prevention

Immediate Steps to Take

Users are advised to update the Admin Columns Free to version 4.3.2 or higher, and Admin Columns Pro to version 5.5.2 or newer to mitigate the vulnerability.

Long-Term Security Practices

Regularly update plugins and software to patch vulnerabilities and follow secure coding practices to prevent XSS and other attacks.

Patching and Updates

Developers of the affected plugins have released updates that address the XSS vulnerability. It is crucial for users to apply these patches promptly to protect their systems from exploitation.