{
  "id": "CVE-2021-33852",
  "sourceIdentifier": "disclose@cybersecurityworks.com",
  "published": "2022-03-10T17:42:36.343",
  "lastModified": "2022-03-12T04:10:13.927",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the \"Duplicate Title\" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts."
    },
    {
      "lang": "es",
      "value": "Un ataque de tipo cross-site Scripting (XSS) puede hacer que se ejecute c\u00f3digo arbitrario (JavaScript) en el navegador de un usuario y puede utilizar una aplicaci\u00f3n como veh\u00edculo para el ataque. La carga \u00fatil XSS dada en el cuadro de texto \"Duplicar t\u00edtulo\" se ejecuta cada vez que el usuario abre la p\u00e1gina de configuraci\u00f3n del plugin Post Duplicator o la p\u00e1gina ra\u00edz de la aplicaci\u00f3n despu\u00e9s de duplicar cualquiera de las publicaciones existentes"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "SINGLE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.5
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    },
    {
      "source": "disclose@cybersecurityworks.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:metaphorcreations:post_duplicator:2.23:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "94E3678C-D6B0-4EFF-9629-27840189A887"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html",
      "source": "disclose@cybersecurityworks.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}