CVE-2021-24337

Exploit

EPSS 1.57%
Veröffentlicht 07.06.2021 11:15:16
Zuletzt bearbeitet 21.11.2024 05:52:52
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Video Embed <= 1.0 - Authenticated (subscriber+) SQL Injection

Video Embed <= 1.0 - Authenticated (Subscriber+) SQL Injection

The id GET parameter of one of the Video Embed WordPress plugin through 1.0's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.

Mögliche Gegenmaßnahme

Video Embed: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Video-embed-box Project ≫ Video-embed-box SwPlatformwordpress Version <= 1.0

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Video Embed

Version *-1.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.57%	0.721

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://codevigilant.com/disclosure/2021/wp-plugin-video-embed-box/

Third Party Advisory

Exploit

https://wpscan.com/vulnerability/a8fd8dd4-5b5e-462e-8dae-065d5e2d003a

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/667023f9-9c45-4182-b1f1-9d85d17aaf58

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-24337

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-24337

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-24337

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-24337