CVEs-PoC/2021/CVE-2021-24958.md

### [CVE-2021-24958](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24958)
![](https://img.shields.io/static/v1?label=Product&message=Meks%20Easy%20Photo%20Feed%20Widget&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=1.2.4%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%20Improper%20Neutralization%20of%20Input%20During%20Web%20Page%20Generation%20('Cross-site%20Scripting')&color=brightgreen)

### Description

The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them

### POC

#### Reference
- https://wpscan.com/vulnerability/011c2519-fd84-4c95-b8b8-23654af59d70

#### Github
- https://github.com/20142995/nuclei-templates