CVE-2021-24348

Опубликовано: 14 июн. 2021

Источник: nvd

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue

Ссылки

https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/
Exploit
Patch
Third Party Advisory
https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474
Exploit
Third Party Advisory
https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/
Exploit
Patch
Third Party Advisory
https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wow-estore:side_menu:*:*:*:*:*:wordpress:*:*

Версия до 3.1.5 (исключая)

EPSS

Процентиль: 68%

0.00567

Низкий

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-3545-vxgq-p67f

github

больше 3 лет назад

The menu delete functionality of the Side Menu â€“ add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue