Key Information about Vulnerability Description Issue: Pie Register < 3.7.0.1 - Reflected Cross-Site Scripting (XSS) Description: The plugin does not sanitize the GET parameter when outputting it in the Activation Code page, leading to a reflected XSS issue. Proof of Concept URL: https://example.com/wp-admin/admin.php?page=pr_new_registration_form&show_dash_widget=1&invitaion_code=PHNjcmVwdD5hbGVyinternetbrowser Affected Plugin Plugin: pie-register Fixed in: 3.7.0.1 References CVE: CVE-2021-24239 URL: https://plugins.trac.wordpress.org/changeset/2507536/ Classification Type: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE: CWE-79 CVSS: 7.1 (High) Miscellaneous Original Researcher: ioheX Submitter: ioheX Submitter Twitter: ioheX Verified: Yes WPVDB ID: f1b67f40-642f-451e-a67a-b7487918ee34 Timeline Publicly Published: 2021-04-03 Added: 2021-04-03 Last Updated: 2021-04-04