Lucene search

[email protected]CVE-2021-4389

HistoryJul 01, 2023 - 5:15 a.m.

CVE-2021-4389

2023-07-0105:15:15

CWE-352

[email protected]

web.nvd.nist.gov

wp travel

wordpress

vulnerability

cross-site request forgery

csrf

nvd

cve-2021-4389

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.3 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

46.0%

JSON

The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CPENameOperatorVersion
wensolutions:wp_travelwensolutions wp travellt4.4.7
wensolutions:wp_travelwensolutions wp traveleq4.4.2
wensolutions:wp_travelwensolutions wp traveleq1.0.4
wensolutions:wp_travelwensolutions wp traveleq4.0.0
wensolutions:wp_travelwensolutions wp traveleq4.1.3
wensolutions:wp_travelwensolutions wp traveleq4.0.1
wensolutions:wp_travelwensolutions wp traveleq1.8.1
wensolutions:wp_travelwensolutions wp traveleq1.0.0
wensolutions:wp_travelwensolutions wp traveleq3.1.0
wensolutions:wp_travelwensolutions wp traveleq4.1.0

CPE	Name	Operator	Version
wensolutions:wp_travel	wensolutions wp travel	lt	4.4.7
wensolutions:wp_travel	wensolutions wp travel	eq	4.4.2
wensolutions:wp_travel	wensolutions wp travel	eq	1.0.4
wensolutions:wp_travel	wensolutions wp travel	eq	4.0.0
wensolutions:wp_travel	wensolutions wp travel	eq	4.1.3
wensolutions:wp_travel	wensolutions wp travel	eq	4.0.1
wensolutions:wp_travel	wensolutions wp travel	eq	1.8.1
wensolutions:wp_travel	wensolutions wp travel	eq	1.0.0
wensolutions:wp_travel	wensolutions wp travel	eq	3.1.0
wensolutions:wp_travel	wensolutions wp travel	eq	4.1.0

Rows per page:

1-10 of 1531

References

blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/

blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/

blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/

blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/

blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/

blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/

blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/

plugins.trac.wordpress.org/changeset/2477827/wp-travel/tags/4.4.7/inc/admin/class-admin-metaboxes.php

www.wordfence.com/threat-intel/vulnerabilities/id/28dea1e9-e772-488e-b98f-93a46ab84581?source=cve

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.3 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

46.0%

JSON

Related for CVE-2021-4389

prion1 cvelist1