6.5

CVE-2021-24405

Exploit

Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting

Easy Cookies Policy <= 1.6.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.
Mögliche Gegenmaßnahme
Easy Cookies Policy: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IzsoftEasy Cookies Policy SwPlatformwordpress Version <= 1.6.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Easy Cookies Policy
Version *-1.6.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 10.99% 0.953
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:N/I:P/A:N
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

http://packetstormsecurity.com/files/166543/WordPress-Easy-Cookie-Policy-1.6.2-Cross-Site-Scripting.html
Third Party Advisory
Exploit
VDB Entry
https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f7a00e-9cb4-4640-bda9-0cd7341d0c41
Third Party Advisory