5.4

CVE-2021-25018

Exploit

EPSS 0.17%
Veröffentlicht 14.02.2022 12:15:14
Zuletzt bearbeitet 21.11.2024 05:54:11
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

PPOM for WooCommerce <= 23.9 - Missing Authorization to Stored Cross-Site Scripting

The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues

Mögliche Gegenmaßnahme

PPOM – Product Addons & Custom Fields for WooCommerce: Update to version 24.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt PPOM – Product Addons & Custom Fields for WooCommerce

Version *-23.9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Najeebmedia ≫ Ppom For Woocommerce SwPlatformwordpress Version < 24.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.387

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://wpscan.com/vulnerability/9e092aad-0b36-45a9-8987-8d904b34fbb2

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/8bde357d-e34a-4931-a1a4-bd3ed3b72cec

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-25018

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-25018

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-25018

EUVD