CVE-2021-24388

Published: Jul 6, 2021Modified: Jun 17, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.

Affected (1)

Products: E4j: Vikrentcar Car Rental Management System

1 product

Vikrentcar Car Rental Management System

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
E4j Vikrentcar Car Rental Management System	Before 1.1.7

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://wpscan.com/vulnerability/e3f6576f-08cb-4278-8c79-3ef4d0b85cd9

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/e3f6576f-08cb-4278-8c79-3ef4d0b85cd9

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.