8.8
CVE-2021-24546
- EPSS 1.75%
- Veröffentlicht 11.10.2021 11:15:08
- Zuletzt bearbeitet 21.11.2024 05:53:16
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginEditorsKit < 1.31.6 - Contributor+ Arbitrary PHP Code Execution
EditorsKit <= 1.31.5 - Authenticated (Contributor+) Code Injection
The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code
Mögliche Gegenmaßnahme
Gutenberg Block Editor Toolkit – EditorsKit: Update to version 1.31.6, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Extendify ≫ Editorskit SwPlatformwordpress Version < 1.31.6
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Gutenberg Block Editor Toolkit – EditorsKit
Version
*-1.31.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.75% | 0.75 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
https://wpscan.com/vulnerability/bdc36f6a-682d-4d66-b587-92e86085d971
https://www.wordfence.com/threat-intel/vulnerabilities/id/0725c0ac-91a7-4359-b911-a450635b09bb