Lucene search

PRIOn knowledge basePRION:CVE-2021-4362

HistoryJun 07, 2023 - 2:15 a.m.

Authorization

2023-06-0702:15:00

PRIOn knowledge base

www.prio-n.com

wordpress

kiwi social share

plugin

vulnerability

authorization bypass

capability check

ajax action

unauthenticated attackers

arbitrary options

site takeover

nvd

9.2 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.4%

JSON

The Kiwi Social Share plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the kiwi_social_share_get_option() function called via the kiwi_social_share_get_option AJAX action in version 2.1.0. This makes it possible for unauthenticated attackers to read and modify arbitrary options on a WordPress site that can be used for complete site takeover. This was a previously fixed vulnerability that was reintroduced in this version.

CPENameOperatorVersion
kiwi_social_shareeq2.1.0

CPE	Name	Operator	Version
	kiwi_social_share	eq	2.1.0

References

blog.nintechnet.com/wordpress-kiwi-social-sharing-plugin-fixed-critical-vulnerability/

wordpress.org/plugins/kiwi-social-share/

www.wordfence.com/threat-intel/vulnerabilities/id/8148b6d0-190a-4b97-8af7-edd6943116d1?source=cve