6.5
CVE-2021-24721
- EPSS 0.28%
- Veröffentlicht 08.11.2021 18:15:09
- Zuletzt bearbeitet 21.11.2024 05:53:37
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginLoco Translate <= 2.5.3 - Authenticated PHP Code Injection
The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.
Mögliche Gegenmaßnahme
Loco Translate: Update to version 2.5.4, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Loco Translate
Version
[*, 2.5.4)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Loco Translate Project ≫ Loco Translate SwPlatformwordpress Version < 2.5.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.511 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:N
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.