8.8
CVE-2021-24189
- EPSS 1.33%
- Veröffentlicht 14.05.2021 12:15:07
- Zuletzt bearbeitet 21.11.2024 05:52:33
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginCaptchinoo, Google recaptcha for admin login page < 2.4 - Arbitrary Plugin Installation/Activation via Low Privilege User
Captchinoo Captcha <= 2.3 - Missing Authorization to Arbitrary Plugin Installation/Activation
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Captchinoo, Google recaptcha for admin login page WordPress plugin before 2.4, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Mögliche Gegenmaßnahme
Captchinoo, admin login page protection with Google recaptcha: Update to version 2.4, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wp-buy ≫ Captchinoo SwPlatformwordpress Version < 2.4
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Captchinoo, admin login page protection with Google recaptcha
Version
*-2.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.33% | 0.672 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c
https://www.wordfence.com/threat-intel/vulnerabilities/id/9d387a5c-717c-4383-af7d-5a5f48628cb7