5.7
CVE-2021-24703
- EPSS 0.39%
- Veröffentlicht 23.11.2021 20:15:09
- Zuletzt bearbeitet 21.11.2024 05:53:35
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginDownload Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation
Download Plugin < 1.6.1 - Cross-Site Request Forgery
The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
Mögliche Gegenmaßnahme
Download Plugin: Update to version 1.6.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Metagauss ≫ Download Plugin SwPlatformwordpress Version < 1.6.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Download Plugin
Version
[*, 1.6.1)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.39% | 0.302 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.7 | 2.1 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CWE-732 Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
https://wpscan.com/vulnerability/4ed8296e-1306-481f-9a22-723b051122c0
https://www.wordfence.com/threat-intel/vulnerabilities/id/585a7332-b063-463c-8077-68a860e14df2