### [CVE-2021-25014](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25014)
![](https://img.shields.io/static/v1?label=Product&message=Ibtana%20%E2%80%93%20WordPress%20Website%20Builder&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=1.1.4.9%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-862%20Missing%20Authorization&color=brightgreen)

### Description

The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue.

### POC

#### Reference
- https://wpscan.com/vulnerability/63c58d7f-8e0b-4aa5-b3c8-8726b4f19bf1

#### Github
- https://github.com/20142995/nuclei-templates