Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-24752

Опубликовано: 18 окт. 2021
Источник: nvd
CVSS3: 5.7
CVSS2: 3.5
EPSS Низкий

Описание

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:catchplugins:catch_scroll_progress_bar:*:*:*:*:*:wordpress:*:*
Версия до 1.6 (исключая)
cpe:2.3:a:catchplugins:catch_sticky_menu:*:*:*:*:*:wordpress:*:*
Версия до 1.7 (исключая)
cpe:2.3:a:catchplugins:catch_themes_demo_import:*:*:*:*:*:wordpress:*:*
Версия до 1.6 (исключая)
cpe:2.3:a:catchplugins:catch_under_construction:*:*:*:*:*:wordpress:*:*
Версия до 1.4 (исключая)
cpe:2.3:a:catchplugins:catch_web_tools:*:*:*:*:*:wordpress:*:*
Версия до 2.7 (исключая)
cpe:2.3:a:catchplugins:essential_content_types:*:*:*:*:*:wordpress:*:*
Версия до 1.9 (исключая)
cpe:2.3:a:catchplugins:essential_widgets:*:*:*:*:*:wordpress:*:*
Версия до 1.9 (исключая)
cpe:2.3:a:catchplugins:generate_child_theme:*:*:*:*:*:wordpress:*:*
Версия до 1.6 (исключая)
cpe:2.3:a:catchplugins:header_enhancement:*:*:*:*:*:wordpress:*:*
Версия до 1.5 (исключая)
cpe:2.3:a:catchplugins:to_top:*:*:*:*:*:wordpress:*:*
Версия до 2.3 (исключая)

EPSS

Процентиль: 32%
0.00128
Низкий

5.7 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-284
CWE-352

Связанные уязвимости

github логотип

GHSA-qcgq-c97q-26vw

CVSS3: 5.7
github
больше 3 лет назад

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPr...

EPSS

Процентиль: 32%
0.00128
Низкий

5.7 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-284
CWE-352