7.2
CVE-2021-24252
- EPSS 0.99%
- Veröffentlicht 06.05.2021 13:15:11
- Zuletzt bearbeitet 21.11.2024 05:52:41
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginEvent Banner <= 1.3 - Cross-Site Request Forgery
The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)
Mögliche Gegenmaßnahme
Event Banner: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Event Banner
Version
*-1.3
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wp-eventmanager ≫ Event Banner SwPlatformwordpress Version <= 1.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.99% | 0.762 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.