Lucene search
WPScanCVELIST:CVE-2021-24825HistoryMar 07, 2022 - 8:16 a.m.
CVE-2021-24825 Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
2022-03-0708:16:05
CWE-345
WPScan
www.cve.org
2
wordpress plugin vulnerability
authenticated access
arbitrary file access
lfi
admin+ vulnerability
contributor+ vulnerability
filesystem attack
The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as perform Local File Inclusion attacks as PHP files will be executed. Please note that such attack is still possible by admin+ in single site blogs by default (but won’t be when either the unfiltered_html or file_edit is disallowed)
CNA Affected
[
{
"product": "Custom Content Shortcode",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.0.2",
"status": "affected",
"version": "4.0.2",
"versionType": "custom"
}
]
}
]Related
patchstack
patchstack
prion
prion
Design/Logic Flaw
2022-03-07 09:15:00
wpvulndb
wpvulndb
Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
2022-02-02 00:00:00
wpexploit
wpexploit
Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
2022-02-02 00:00:00
cnvd
cnvd
WordPress plugin Custom Content Shortcode access control error vulnerability
2022-03-09 00:00:00
nvd
nvd
CVE-2021-24825
2022-03-07 09:15:08
cve
cve
CVE-2021-24825
2022-03-07 09:15:08