7.5
CVE-2021-24831
- EPSS 1.2%
- Veröffentlicht 03.01.2022 13:15:08
- Zuletzt bearbeitet 21.11.2024 05:53:50
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginTab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
Tab – Accordion, FAQ < 1.3.2 - Unauthenticated Arbitrary Tab Modification
All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.
Mögliche Gegenmaßnahme
Tab – Accordion, FAQ: Update to version 1.3.2, or a newer patched version
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.2% | 0.64 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-425 Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://wpscan.com/vulnerability/75ed9f5f-e091-4372-a6cb-57958ad5f900
https://www.wordfence.com/threat-intel/vulnerabilities/id/ec002a5a-1965-4828-8a0a-19941af98e2d