vulnerability
WordPress Plugin: yith-maintenance-mode: CVE-2021-36845: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:M/C:C/I:P/A:N) | Sep 23, 2021 | May 15, 2025 | Jun 24, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:M/C:C/I:P/A:N)
Published
Sep 23, 2021
Added
May 15, 2025
Modified
Jun 24, 2025
Description
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions less than or equal to 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - "Newsletter" tab, andyith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (') symbol to break the context, i.e.: NOTIFY ME' autofocus onfocusequal toalert(/Visse/);// vequal to' - this payload will be auto triggered while admin visits this page/tab. 2 - "General" tab issues, vulnerable parameters: andyith_maintenance_message, andyith_maintenance_custom_style, andyith_maintenance_mascotte, andyith_maintenance_title_font[size], andyith_maintenance_title_font[family], andyith_maintenance_title_font[color], andyith_maintenance_paragraph_font[size], andyith_maintenance_paragraph_font[family], andyith_maintenance_paragraph_font[color], andyith_maintenance_border_top. 3 - "Background" tab issues, vulnerable parameters: andyith_maintenance_background_image, andyith_maintenance_background_color. 4 - "Logo" tab issues, vulnerable parameters: andyith_maintenance_logo_image, andyith_maintenance_logo_tagline, andyith_maintenance_logo_tagline_font[size], andyith_maintenance_logo_tagline_font[family], andyith_maintenance_logo_tagline_font[color]. 5 - "Newsletter" tab issues, vulnerable parameters: andyith_maintenance_newsletter_email_font[size], andyith_maintenance_newsletter_email_font[family], andyith_maintenance_newsletter_email_font[color], andyith_maintenance_newsletter_submit_font[size], andyith_maintenance_newsletter_submit_font[family], andyith_maintenance_newsletter_submit_font[color], andyith_maintenance_newsletter_submit_background, andyith_maintenance_newsletter_submit_background_hover, andyith_maintenance_newsletter_title, andyith_maintenance_newsletter_action, andyith_maintenance_newsletter_email_label, andyith_maintenance_newsletter_email_name, andyith_maintenance_newsletter_submit_label, andyith_maintenance_newsletter_hidden_fields. 6 - "Socials" tab issues, vulnerable parameters: andyith_maintenance_socials_facebook, andyith_maintenance_socials_twitter, andyith_maintenance_socials_gplus, andyith_maintenance_socials_youtube, andyith_maintenance_socials_rss, andyith_maintenance_socials_skype, andyith_maintenance_socials_email, andyith_maintenance_socials_behance, andyith_maintenance_socials_dribble, andyith_maintenance_socials_flickr, andyith_maintenance_socials_instagram, andyith_maintenance_socials_pinterest, andyith_maintenance_socials_tumblr, andyith_maintenance_socials_linkedin.
Solution
yith-maintenance-mode-plugin-cve-2021-36845
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.