CVE-2021-24859 User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access

2021-12-1310:41:11

CWE-284

WPScan

www.cve.org

5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.8%

JSON

The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes

CNA Affected

[
  {
    "product": "User meta shortcodes",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "0.5",
        "status": "affected",
        "version": "0.5",
        "versionType": "custom"
      }
    ]
  }
]