Lucene search

WordfenceCVELIST:CVE-2021-4374

HistoryJun 07, 2023 - 1:51 a.m.

CVE-2021-4374

2023-06-0701:51:44

Wordfence

www.cve.org

wordpress

automatic plugin

vulnerability

arbitrary options update

authorization

option validation

unauthenticated attackers

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

73.2%

JSON

The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.

CNA Affected

[
  {
    "vendor": "ValvePress",
    "product": "WordPress Automatic Plugin",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThan": "3.53.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/

www.wordfence.com/threat-intel/vulnerabilities/id/d0567dc8-7a4c-42f4-bf45-f31a8efaa354?source=cve

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

73.2%

JSON

Related for CVELIST:CVE-2021-4374