vulnerability

WordPress Plugin: business-manager: CVE-2021-39332: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
2	(AV:N/AC:H/Au:S/C:N/I:P/A:N)	Oct 14, 2021	May 15, 2025	Apr 30, 2026

Severity

CVSS

(AV:N/AC:H/Au:S/C:N/I:P/A:N)

Published

Oct 14, 2021

Added

May 15, 2025

Modified

Apr 30, 2026

Description

The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Solution

business-manager-plugin-cve-2021-39332

References

https://www.cve.org/CVERecord?id=CVE-2021-39332
https://www.wordfence.com/threat-intel/vulnerabilities/id/94cbd525-de3b-448a-b65b-21c63208b8b8?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-25693
CVE-2021-39332
https://attackerkb.com/topics/CVE-2021-39332
CWE-79
EUVD-EUVD-2021-25693

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report