Lucene search

[email protected]CVE-2021-24859

HistoryDec 13, 2021 - 11:15 a.m.

CVE-2021-24859

2021-12-1311:15:00

CWE-284

[email protected]

web.nvd.nist.gov

cve-2021-24859

user meta shortcodes

wordpress

data exfiltration

security vulnerability

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.6 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

24.1%

JSON

The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes

VendorProductVersionCPE
user\-metauser_meta_manager*cpe:2.3:a:user\-meta:user_meta_manager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
user\-meta	user_meta_manager	*	cpe:2.3:a:user\-meta:user_meta_manager::::::::

References

wpscan.com/vulnerability/958f44a5-07e7-4349-9212-2a039a082ba0

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.6 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

24.1%

JSON

Related for CVE-2021-24859

wpvulndb1 prion1 cnvd1 wpexploit1 patchstack1 cvelist1