exploitDog

CVE-2021-24467

Опубликовано: 09 авг. 2021

Источник: nvd

CVSS3: 6.5

CVSS2: 4.3

EPSS Низкий

Описание

The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin

Ссылки

https://wpscan.com/vulnerability/ac32d265-066e-49ec-9042-3145cd99e2e8
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/ac32d265-066e-49ec-9042-3145cd99e2e8
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:leaflet_map_project:leaflet_map:*:*:*:*:*:wordpress:*:*

Версия до 3.0.0 (исключая)

EPSS

Процентиль: 29%

0.00103

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-xqqw-c6r3-8gjc

CVSS3: 6.5

github

больше 3 лет назад

The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin

EPSS

Процентиль: 29%

0.00103

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

CWE-79