exploitDog

CVE-2021-24675

Опубликовано: 18 окт. 2021

Источник: nvd

CVSS3: 6.5

CVSS2: 4.3

EPSS Низкий

Описание

The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack

Ссылки

https://wpscan.com/vulnerability/9b9a55d5-c121-4b5b-80df-f9f419c0dc55
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/9b9a55d5-c121-4b5b-80df-f9f419c0dc55
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:onedesigns:one_user_avatar:*:*:*:*:*:wordpress:*:*

Версия до 2.3.7 (исключая)

EPSS

Процентиль: 29%

0.00103

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-jwxc-3mv8-gfrr

github

больше 3 лет назад

The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack

EPSS

Процентиль: 29%

0.00103

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352