Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveWPScanCVE-2021-24825
HistoryMar 07, 2022 - 9:15 a.m.

CVE-2021-24825

2022-03-0709:15:08
CWE-345
WPScan
web.nvd.nist.gov
62
cve-2021-24825
custom content shortcode
wordpress plugin
security vulnerability
arbitrary file display
local file inclusion
admin+
contributor+

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.6

Confidence

High

EPSS

0.001

Percentile

23.0%

JSON

The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as perform Local File Inclusion attacks as PHP files will be executed. Please note that such attack is still possible by admin+ in single site blogs by default (but won’t be when either the unfiltered_html or file_edit is disallowed)

Affected configurations

Nvd
Vulners
Node
custom_content_shortcode_projectcustom_content_shortcodeRange<4.0.2wordpress
VendorProductVersionCPE
custom_content_shortcode_projectcustom_content_shortcode*cpe:2.3:a:custom_content_shortcode_project:custom_content_shortcode:*:*:*:*:*:wordpress:*:*

CNA Affected

[
  {
    "product": "Custom Content Shortcode",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "4.0.2",
        "status": "affected",
        "version": "4.0.2",
        "versionType": "custom"
      }
    ]
  }
]

Related

prion 1
patchstack 1
cvelist 1
wpvulndb 1
wpexploit 1
cnvd 1
nvd 1
prion
prion
Design/Logic Flaw
2022-03-07 09:15:00
patchstack
patchstack
WordPress Custom Content Shortcode plugin <= 4.0.1 - Authenticated Arbitrary File Access / Local File Inclusion (LFI) vulnerability
2022-02-02 00:00:00
cvelist
cvelist
CVE-2021-24825 Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
2022-03-07 08:16:05
wpvulndb
wpvulndb
Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
2022-02-02 00:00:00
wpexploit
wpexploit
Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
2022-02-02 00:00:00
cnvd
cnvd
WordPress plugin Custom Content Shortcode access control error vulnerability
2022-03-09 00:00:00
nvd
nvd
CVE-2021-24825
2022-03-07 09:15:08

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.6

Confidence

High

EPSS

0.001

Percentile

23.0%

JSON
Related for CVE-2021-24825
prion1patchstack1cvelist1wpvulndb1wpexploit1cnvd1nvd1