WordPress File Upload Pro <= 4.16.2 is vulnerable to Contributor+ Stored Cross-Site Scripting (XSS) via Shortcode vulnerability

Contributor

Published
2022-02-13

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

CVE

https://www.cve.org/CVERecord?id=CVE-2021-24961

CVSS

Score:5.4

Severity:Medium

Version: 4.16.2

There is a patch available in v4.16.3 and we strongly recommend you update to this version as soon as possible.