cleantalk
Vulnerabilities and Security Researches

Prismatic, CVE-2021-24408

CVE, Research URL

CVE-2021-24408

Home page URL

Security reports for Prismatic

Application

Prismatic

Published on
Jul 13, 2021
Research Description
The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.
Affected versions
max 2.8.
Status
vulnerable
Previous vulnerability researches
Prismatic (CVE-2026-3876) , Apr 16, 2026
Prismatic (CVE-2021-24408) , Jun 07, 2024
Prismatic (CVE-2021-24409) , Jun 07, 2024
New vulnerability
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2026-3885) , Apr 16, 2026
Royal Elementor Addons and Templates (CVE-2026-40763) , Apr 16, 2026
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO (CVE-2026-0563) , Apr 16, 2026
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress (CVE-2026-3614) , Apr 16, 2026
Token of Trust: AI Identity Verification, Age Verification, and KYC (CVE-2026-2834) , Apr 16, 2026