Lucene search

[email protected]CVE-2021-24845

HistoryDec 13, 2021 - 11:15 a.m.

CVE-2021-24845

2021-12-1311:15:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

cve-2021-24845

improved include page

wordpress

plugin

shortcode

post_type

post_status

security vulnerability

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

32.2%

JSON

The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to.

VendorProductVersionCPE
xforwoocommerceimproved_product_options*cpe:2.3:a:xforwoocommerce:improved_product_options:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xforwoocommerce	improved_product_options	*	cpe:2.3:a:xforwoocommerce:improved_product_options::::::::

References

wpscan.com/vulnerability/ab857454-7c7c-454d-9c7f-1db767961e5f

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

32.2%

JSON

Related for CVE-2021-24845

patchstack1 wpvulndb1 cvelist1 wpexploit1 prion1