vulnerability

WordPress Plugin: yith-maintenance-mode: CVE-2021-36845: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:M/Au:S/C:N/I:P/A:N)	Sep 23, 2021	May 15, 2025	Jul 10, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:N/I:P/A:N)

Published

Sep 23, 2021

Added

May 15, 2025

Modified

Jul 10, 2025

Description

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions less than or equal to 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - "Newsletter" tab, andyith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (') symbol to break the context, i.e.: NOTIFY ME' autofocus onfocusequal toalert(/Visse/);// vequal to' - this payload will be auto triggered while admin visits this page/tab. 2 - "General" tab issues, vulnerable parameters: andyith_maintenance_message, andyith_maintenance_custom_style, andyith_maintenance_mascotte, andyith_maintenance_title_font[size], andyith_maintenance_title_font[family], andyith_maintenance_title_font[color], andyith_maintenance_paragraph_font[size], andyith_maintenance_paragraph_font[family], andyith_maintenance_paragraph_font[color], andyith_maintenance_border_top. 3 - "Background" tab issues, vulnerable parameters: andyith_maintenance_background_image, andyith_maintenance_background_color. 4 - "Logo" tab issues, vulnerable parameters: andyith_maintenance_logo_image, andyith_maintenance_logo_tagline, andyith_maintenance_logo_tagline_font[size], andyith_maintenance_logo_tagline_font[family], andyith_maintenance_logo_tagline_font[color]. 5 - "Newsletter" tab issues, vulnerable parameters: andyith_maintenance_newsletter_email_font[size], andyith_maintenance_newsletter_email_font[family], andyith_maintenance_newsletter_email_font[color], andyith_maintenance_newsletter_submit_font[size], andyith_maintenance_newsletter_submit_font[family], andyith_maintenance_newsletter_submit_font[color], andyith_maintenance_newsletter_submit_background, andyith_maintenance_newsletter_submit_background_hover, andyith_maintenance_newsletter_title, andyith_maintenance_newsletter_action, andyith_maintenance_newsletter_email_label, andyith_maintenance_newsletter_email_name, andyith_maintenance_newsletter_submit_label, andyith_maintenance_newsletter_hidden_fields. 6 - "Socials" tab issues, vulnerable parameters: andyith_maintenance_socials_facebook, andyith_maintenance_socials_twitter, andyith_maintenance_socials_gplus, andyith_maintenance_socials_youtube, andyith_maintenance_socials_rss, andyith_maintenance_socials_skype, andyith_maintenance_socials_email, andyith_maintenance_socials_behance, andyith_maintenance_socials_dribble, andyith_maintenance_socials_flickr, andyith_maintenance_socials_instagram, andyith_maintenance_socials_pinterest, andyith_maintenance_socials_tumblr, andyith_maintenance_socials_linkedin.

Solution

yith-maintenance-mode-plugin-cve-2021-36845

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today