CVE-2021-24320

moderate-risk
Published 2021-06-01

The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues.

Do I need to act?

!
50.3% chance of exploitation in next 30 days
EPSS score — higher than 50% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Bold-Themes

References (4)

Exploit https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-79%5D-Bell...
Exploit https://wpscan.com/vulnerability/6b5b42fd-028a-4405-b027-3266058029bb
Exploit https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-79%5D-Bell...
Exploit https://wpscan.com/vulnerability/6b5b42fd-028a-4405-b027-3266058029bb
46
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 18/34 · Moderate
Exposure 5/34 · Minimal