Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for clarity by microsoft
CVE-2024-0590 (GCVE-0-2024-0590)
Vulnerability from nvd – Published: 2024-02-20 18:56 – Updated: 2026-04-08 17:20
VLAI?
Title
Microsoft Clarity <= 0.9.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Summary
The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| microsoft | Microsoft Clarity |
Affected:
0 , ≤ 0.9.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0590",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T16:54:44.139578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:46.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2f4461b-1373-4d09-8430-14d1961e1644?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3036293%40microsoft-clarity\u0026new=3036293%40microsoft-clarity\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Microsoft Clarity",
"vendor": "microsoft",
"versions": [
{
"lessThanOrEqual": "0.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "GiongfNef"
},
{
"lang": "en",
"type": "finder",
"value": "Kodai Kubono"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:20:17.058Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2f4461b-1373-4d09-8430-14d1961e1644?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3036293%40microsoft-clarity\u0026new=3036293%40microsoft-clarity\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Microsoft Clarity \u003c= 0.9.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0590",
"datePublished": "2024-02-20T18:56:44.227Z",
"dateReserved": "2024-01-16T13:42:32.077Z",
"dateUpdated": "2026-04-08T17:20:17.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-33850 (GCVE-0-2021-33850)
Vulnerability from nvd – Published: 2021-11-19 15:52 – Updated: 2024-08-04 00:05
VLAI?
Summary
There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page.
Severity ?
No CVSS data available.
CWE
- Improper Neutralization of Input During Web Page Generation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Microsoft Clarity |
Affected:
0.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:51.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Microsoft Clarity",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T15:52:43.000Z",
"orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"shortName": "CSW"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclose@cybersecurityworks.com",
"ID": "CVE-2021-33850",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Microsoft Clarity",
"version": {
"version_data": [
{
"version_value": "0.3"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"assignerShortName": "CSW",
"cveId": "CVE-2021-33850",
"datePublished": "2021-11-19T15:52:43.000Z",
"dateReserved": "2021-06-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:05:51.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0590 (GCVE-0-2024-0590)
Vulnerability from cvelistv5 – Published: 2024-02-20 18:56 – Updated: 2026-04-08 17:20
VLAI?
Title
Microsoft Clarity <= 0.9.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Summary
The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| microsoft | Microsoft Clarity |
Affected:
0 , ≤ 0.9.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0590",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T16:54:44.139578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:46.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2f4461b-1373-4d09-8430-14d1961e1644?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3036293%40microsoft-clarity\u0026new=3036293%40microsoft-clarity\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Microsoft Clarity",
"vendor": "microsoft",
"versions": [
{
"lessThanOrEqual": "0.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "GiongfNef"
},
{
"lang": "en",
"type": "finder",
"value": "Kodai Kubono"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:20:17.058Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2f4461b-1373-4d09-8430-14d1961e1644?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3036293%40microsoft-clarity\u0026new=3036293%40microsoft-clarity\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Microsoft Clarity \u003c= 0.9.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0590",
"datePublished": "2024-02-20T18:56:44.227Z",
"dateReserved": "2024-01-16T13:42:32.077Z",
"dateUpdated": "2026-04-08T17:20:17.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-33850 (GCVE-0-2021-33850)
Vulnerability from cvelistv5 – Published: 2021-11-19 15:52 – Updated: 2024-08-04 00:05
VLAI?
Summary
There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page.
Severity ?
No CVSS data available.
CWE
- Improper Neutralization of Input During Web Page Generation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Microsoft Clarity |
Affected:
0.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:51.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Microsoft Clarity",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T15:52:43.000Z",
"orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"shortName": "CSW"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclose@cybersecurityworks.com",
"ID": "CVE-2021-33850",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Microsoft Clarity",
"version": {
"version_data": [
{
"version_value": "0.3"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"assignerShortName": "CSW",
"cveId": "CVE-2021-33850",
"datePublished": "2021-11-19T15:52:43.000Z",
"dateReserved": "2021-06-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:05:51.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}