10
CVE-2021-24527
- EPSS 76.79%
- Veröffentlicht 16.08.2021 11:15:08
- Zuletzt bearbeitet 21.11.2024 05:53:14
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginProfile Builder <= 3.4.8 - Admin Access via Password Reset
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.
Mögliche Gegenmaßnahme
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor: Update to version 3.4.9, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Version
[*, 3.4.9)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cozmoslabs ≫ Profile Builder SwPlatformwordpress Version < 3.4.9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 76.79% | 0.989 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 10 | 10 | 10 |
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.