8.1
CVE-2021-24217
- EPSS 6.51%
- Veröffentlicht 12.04.2021 14:15:15
- Zuletzt bearbeitet 21.11.2024 05:52:36
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginFacebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
Meta pixel for WordPress <= 2.2.2 - PHP Object Injection
The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
Mögliche Gegenmaßnahme
Meta pixel for WordPress: Update to version 3.0.0, or a newer patched version
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 6.51% | 0.901 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.