8.8
CVE-2021-24696
- EPSS 0.63%
- Veröffentlicht 24.01.2022 08:15:08
- Zuletzt bearbeitet 21.11.2024 05:53:35
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginSimple Download Monitor < 3.9.9 - Multiple CSRF
Simple Download Monitor <= 3.9.8 - Multiple Cross-Site Request Forgery vulnerabilities
The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads
Mögliche Gegenmaßnahme
Simple Download Monitor: Update to version 3.9.9, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tipsandtricks-hq ≫ Simple Download Monitor SwPlatformwordpress Version < 3.9.9
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Simple Download Monitor
Version
*-3.9.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.63% | 0.454 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://wpscan.com/vulnerability/e94772af-39ac-4743-a556-52351ebda9fe
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b8dcab4-dd13-4c08-8623-37a50dcbda1b