CVE-2021-24472

Exploit

EPSS 56.61%
Veröffentlicht 02.08.2021 11:15:10
Zuletzt bearbeitet 21.11.2024 05:53:08
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Unauthenticated RFI and SSRF

QT KenthaRadio < 2.0.2 & OnAir2 < 3.9.9.2 - Server-Side Request Forgery & Remote File Inclusion

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.

Mögliche Gegenmaßnahme

KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality: Update to version 2.0.2, or a newer patched version

Onair2: Radio Station WordPress Theme With Non-Stop Music Player: Update to version 3.9.9.2, or a newer patched version

KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality: Update to version 2.0.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qantumthemes ≫ Kentharadio SwPlatformwordpress Version < 2.0.2

Qantumthemes ≫ Onair2 SwPlatformwordpress Version < 3.9.9.2

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality

Version [*, 2.0.2)

SystemWordPress Theme

≫

Produkt Onair2: Radio Station WordPress Theme With Non-Stop Music Player

Version [*, 3.9.9.2)

SystemWordPress Theme

≫

Produkt KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality

Version [*, 2.0.2)

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	56.61%	0.989

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://wpscan.com/vulnerability/17591ac5-88fa-4cae-a61a-4dcf5dc0b72a

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/93b5552e-bb24-4dfb-a779-8451f619ff50

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-24472

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-24472

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-24472

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-24472