CVE-2021-24219

Exploit

EPSS 16.36%
Veröffentlicht 12.04.2021 14:15:15
Zuletzt bearbeitet 21.11.2024 05:52:37
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Multiple Thrive Themes and Plugins (Various Versions) - Arbitrary Options Update

The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5, Thrive Clever Widgets WordPress plugin before 1.57.1 and Rise by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Themes WordPress theme before 2.0.0, Thrive Themes Builder WordPress theme before 2.2.4 register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.

Mögliche Gegenmaßnahme

Thrive Optimize: Update to version 1.4.13.3, or a newer patched version

Thrive Apprentice: Update to version 2.3.9.4, or a newer patched version

Thrive Clever Widgets: Update to version 1.57.1, or a newer patched version

Thrive Comments: Update to version 1.4.15.3, or a newer patched version

Thrive Dashboard: Update to version 2.3.9.3, or a newer patched version

Thrive Headline Optimizer: Update to version 1.3.7.3, or a newer patched version

Thrive Leads: Update to version 2.3.9.4, or a newer patched version

Thrive Ovation: Update to version 2.4.5, or a newer patched version

Thrive Quiz Builder: Update to version 2.3.9.4, or a newer patched version

Thrive Ultimatum: Update to version 2.3.9.4, or a newer patched version

Thrive Visual Editor: Update to version 2.6.7.4, or a newer patched version

FocusBlog: Update to version 2.0.0, or a newer patched version

Ignition: Update to version 2.0.0, or a newer patched version

Luxe: Update to version 2.0.0, or a newer patched version

Minus: Update to version 2.0.0, or a newer patched version

Performag: Update to version 2.0.0, or a newer patched version

Pressive: Update to version 2.0.0, or a newer patched version

Rise: Update to version 2.0.0, or a newer patched version

Squared: Update to version 2.0.0, or a newer patched version

Storied: Update to version 2.0.0, or a newer patched version

Thrive Themes Builder: Update to version 2.2.4, or a newer patched version

Voice: Update to version 2.0.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Thrive Optimize

Version [*, 1.4.13.3)

SystemWordPress Plugin

≫

Produkt Thrive Apprentice

Version [*, 2.3.9.4)

SystemWordPress Plugin

≫

Produkt Thrive Clever Widgets

Version [*, 1.57.1)

SystemWordPress Plugin

≫

Produkt Thrive Comments

Version [*, 1.4.15.3)

SystemWordPress Plugin

≫

Produkt Thrive Dashboard

Version [*, 2.3.9.3)

SystemWordPress Plugin

≫

Produkt Thrive Headline Optimizer

Version [*, 1.3.7.3)

SystemWordPress Plugin

≫

Produkt Thrive Leads

Version [*, 2.3.9.4)

SystemWordPress Plugin

≫

Produkt Thrive Ovation

Version [*, 2.4.5)

SystemWordPress Plugin

≫

Produkt Thrive Quiz Builder

Version [*, 2.3.9.4)

SystemWordPress Plugin

≫

Produkt Thrive Ultimatum

Version [*, 2.3.9.4)

SystemWordPress Plugin

≫

Produkt Thrive Visual Editor

Version [*, 2.6.7.4)

SystemWordPress Theme

≫

Produkt FocusBlog

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Ignition

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Luxe

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Minus

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Performag

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Pressive

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Rise

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Squared

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Storied

Version [*, 2.0.0)

SystemWordPress Theme

≫

Produkt Thrive Themes Builder

Version [*, 2.2.4)

SystemWordPress Theme

≫

Produkt Voice

Version [*, 2.0.0)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Thrivethemes ≫ Focusblog SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Ignition SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Luxe SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Minus SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Performag SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Pressive SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Rise SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Squared SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Storied SwPlatformwordpress Version < 2.0.0

Thrivethemes ≫ Thrive Apprentice SwPlatformwordpress Version < 2.3.9.4

Thrivethemes ≫ Thrive Clever Widgets SwPlatformwordpress Version < 1.57.1

Thrivethemes ≫ Thrive Comments SwPlatformwordpress Version < 1.4.15.3

Thrivethemes ≫ Thrive Dashboard SwPlatformwordpress Version < 2.3.9.3

Thrivethemes ≫ Thrive Headline Optimizer SwPlatformwordpress Version < 1.3.7.3

Thrivethemes ≫ Thrive Optimize SwPlatformwordpress Version < 1.4.13.3

Thrivethemes ≫ Thrive Ovation SwPlatformwordpress Version < 2.4.5

Thrivethemes ≫ Thrive Quiz Builder SwPlatformwordpress Version < 2.3.9.4

Thrivethemes ≫ Thrive Themes Builder SwPlatformwordpress Version < 2.2.4

Thrivethemes ≫ Thrive Visual Editor SwPlatformwordpress Version < 2.6.7.4

Thrivethemes ≫ Voice SwPlatformwordpress Version < 2.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	16.36%	0.947

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://wpscan.com/vulnerability/35acd2d8-85fc-4af5-8f6c-224fa7d92900

Third Party Advisory

Exploit

https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/c2be56d2-d473-455e-8d6e-d2df6abb19ca

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-24219

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-24219

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-24219

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-24219