CVE-2021-24289

Опубликовано: 17 мая 2021

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.

Ссылки

https://wpscan.com/vulnerability/078e93cd-7cf2-4e23-8171-58d44e354d62
Third Party Advisory
https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin/
Third Party Advisory
https://wpscan.com/vulnerability/078e93cd-7cf2-4e23-8171-58d44e354d62
Third Party Advisory
https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:de-baat:store_locator_plus:*:*:*:*:*:wordpress:*:*

Версия до 5.5.14 (включая)

EPSS

Процентиль: 77%

0.01005

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-269

Связанные уязвимости

GHSA-m38j-h682-h2cp

github

больше 3 лет назад