CVE-2021-24328

🗓️ 01 Jun 2021 11:33:31Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 43 Views🌐 WEB

The WP Login Security and History WordPress plugin through 1.0 allows CSRF attacks and XSS payload injection

Reporter	Title	Published	Views	Family All 8
CNNVD	WordPress plugin WP Login Security and History 跨站脚本漏洞	1 Jun 202100:00	–	cnnvd
Cvelist	CVE-2021-24328 WP Login Security and History <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)	1 Jun 202111:33	–	cvelist
EUVD	EUVD-2021-11241	7 Oct 202500:30	–	euvd
NVD	CVE-2021-24328	1 Jun 202114:15	–	nvd
Prion	Cross site request forgery (csrf)	1 Jun 202114:15	–	prion
RedhatCVE	CVE-2021-24328	22 May 202518:23	–	redhatcve
wpexploit	WP Login Security and History <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)	12 Apr 202100:00	–	wpexploit
WPVulnDB	WP Login Security and History <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)	12 Apr 202100:00	–	wpvulndb

NVD

Vulners

Node

clogica wp_login_security_and_historyRange≤1.0wordpress

[
  {
    "product": "WP Login Security and History",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "1.0",
        "status": "affected",
        "version": "1.0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
m0ze	www.m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-Login-Security-and-History-WordPress-Plugin-v1.0.txt
m0ze	www.m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-352%5D-WP-Login-Security-and-History-WordPress-Plugin-v1.0.txt
wpscan	www.wpscan.com/vulnerability/eeb41d7b-8f9e-4a12-b65f-f310f08e4ace
m0ze	www.m0ze.ru/exploit/csrf-wp-login-security-and-history-v1.0.html

Parameter	Position	Path	Description	CWE
page_num	query param	/wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2	Authenticated CSRF leads to arbitrary settings and potential XSS via unsanitized inputs.	CWE-352, CWE-79
can_show_captcha_option	query param	/wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2	Authenticated CSRF leads to arbitrary settings and potential XSS via unsanitized inputs.	CWE-352, CWE-79
show_captcha_count_option	query param	/wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2	Authenticated CSRF leads to arbitrary settings and potential XSS via unsanitized inputs.	CWE-352, CWE-79
can_block_login_trials	query param	/wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2	Authenticated CSRF leads to arbitrary settings and potential XSS via unsanitized inputs.	CWE-352, CWE-79
login_max_trials	query param	/wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2	Authenticated CSRF leads to arbitrary settings and potential XSS via unsanitized inputs.	CWE-352, CWE-79
login_block_time	query param	/wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2	Authenticated CSRF leads to arbitrary settings and potential XSS via unsanitized inputs.	CWE-352, CWE-79
login_blocked_msg	query param	/wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2	Authenticated CSRF leads to arbitrary settings and potential XSS via unsanitized inputs.	CWE-352, CWE-79
Save_Options	query param	/wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2	Authenticated CSRF leads to arbitrary settings and potential XSS via unsanitized inputs.	CWE-352, CWE-79

21 Nov 2024 05:52Current

6.2Medium risk

Vulners AI Score6.2

CVSS 23.5

CVSS 3.16.2

EPSS0.0018

cve-2021-24328 wp login security history wordpress plugin csrf xss nvd