Medium severity5.4NVD Advisory· Published Aug 9, 2021· Updated Jun 17, 2026
CVE-2021-24509
CVE-2021-24509
Description
The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Page View Count plugindescription
- Range: <2.4.9
Patches
Vulnerability mechanics
References
1- wpscan.com/vulnerability/06df2729-21da-4c22-ae1e-dda1f15bdf8fnvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.