8.8
CVE-2021-24289
- EPSS 1.15%
- Veröffentlicht 17.05.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:52:46
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginStore Locator Plus <= 5.5.14 - Authenticated Privilege Escalation
Store Locator Plus <= 5.5.15 - Authenticated Privilege Escalation
There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
Mögliche Gegenmaßnahme
Store Locator Plus® for WordPress: Update to version 5.7, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
De-baat ≫ Store Locator Plus SwPlatformwordpress Version <= 5.5.14
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Store Locator Plus® for WordPress
Version
*-5.5.15
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.15% | 0.627 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
https://wpscan.com/vulnerability/078e93cd-7cf2-4e23-8171-58d44e354d62
https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin/
https://www.wordfence.com/threat-intel/vulnerabilities/id/68c1776e-8e29-4eea-87d0-cf7318a64f7d