CVE-2021-25053

🗓️ 10 Jan 2022 15:30:36Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 42 Views🌐 WEB

The WP Coder WordPress plugin before 2.5.2 allows arbitrary file inclusion, leading to CSRF RCE

Reporter	Title	Published	Views	Family All 11
CNNVD	WordPress plugin WP Coder 跨站请求伪造漏洞	10 Jan 202200:00	–	cnnvd
CNVD	WordPress WP Coder plugin file contains vulnerability	14 Jan 202200:00	–	cnvd
Cvelist	CVE-2021-25053 WP Coder < 2.5.2 - RFI leading to RCE via CSRF	10 Jan 202215:30	–	cvelist
EUVD	EUVD-2021-11965	7 Oct 202500:30	–	euvd
NVD	CVE-2021-25053	10 Jan 202216:15	–	nvd
OSV	CVE-2021-25053	10 Jan 202216:15	–	osv
Patchstack	WordPress WP Coder plugin <= 2.5.1 - Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF vulnerability	5 Dec 202100:00	–	patchstack
Prion	Cross site request forgery (csrf)	10 Jan 202216:15	–	prion
RedhatCVE	CVE-2021-25053	22 May 202519:24	–	redhatcve
wpexploit	WP Coder < 2.5.2 - RFI leading to RCE via CSRF	5 Dec 202100:00	–	wpexploit

NVD

Vulners

Node

wow-company wp_coderRange<2.5.2wordpress

[
  {
    "product": "WP Coder – add custom html, css and js code",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "2.5.2",
        "status": "affected",
        "version": "2.5.2",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/changeset/2641650/wp-coder
wpscan	www.wpscan.com/vulnerability/a5448599-64de-43b0-b04d-c6492366eab1

Parameter	Position	Path	Description	CWE
page	query param	/wp-admin/admin.php	WordPress plugin wow-company admin page allows include() of arbitrary PHP file (including data:// or http://), enabling CSRF RCE. CWE-352.	CWE-352
tab	query param	/wp-admin/admin.php	WordPress plugin wow-company admin page allows include() of arbitrary PHP file (including data:// or http://), enabling CSRF RCE. CWE-352.	CWE-352

21 Nov 2024 05:54Current

8.8High risk

Vulners AI Score8.8

CVSS 25.1

CVSS 3.18.8

EPSS0.00109

CWE-352

wp coder wordpress plugin arbitrary file inclusion csrf rce