exploitDog

CVE-2021-25106

Опубликовано: 07 фев. 2022

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting

Ссылки

https://wpscan.com/vulnerability/47df802d-5200-484b-959c-9f569edf992e
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/47df802d-5200-484b-959c-9f569edf992e
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wpeka:wplegalpages:*:*:*:*:*:wordpress:*:*

Версия до 2.7.1 (исключая)

EPSS

Процентиль: 43%

0.00208

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-h2hg-rvg6-p5x3

github

около 4 лет назад

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting

EPSS

Процентиль: 43%

0.00208

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

CWE-79