8.8
CVE-2021-24890
- EPSS 0.22%
- Veröffentlicht 26.09.2022 13:15:09
- Zuletzt bearbeitet 21.05.2025 20:15:25
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginScripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file
Mögliche Gegenmaßnahme
Scripts Organizer: Update to version 3.0, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Scripts Organizer
Version
[*, 3.0)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dplugins ≫ Scripts Organizer SwPlatformwordpress Version < 3.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.22% | 0.447 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.