exploitDog

CVE-2021-24958

Опубликовано: 14 мар. 2022

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them

Ссылки

https://wpscan.com/vulnerability/011c2519-fd84-4c95-b8b8-23654af59d70
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/011c2519-fd84-4c95-b8b8-23654af59d70
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mekshq:meks_easy_photo_feed_widget:*:*:*:*:*:wordpress:*:*

Версия до 1.2.4 (исключая)

EPSS

Процентиль: 43%

0.00208

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-gjrp-2m36-6xcw

CVSS3: 5.4

github

почти 4 года назад

The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them

EPSS

Процентиль: 43%

0.00208

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

CWE-79