5.4
CVE-2021-25106
- EPSS 0.59%
- Veröffentlicht 07.02.2022 16:15:45
- Zuletzt bearbeitet 21.11.2024 05:54:21
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginWPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS
Privacy Policy Generator, Terms & Conditions Generator - WPLegalPages <= 2.7.0 - Arbitrary Settings Update to Stored Cross-Site Scripting
The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting
Mögliche Gegenmaßnahme
Privacy Policy Generator – WPLP Legal Pages: Update to version 2.7.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wpeka ≫ Wplegalpages SwPlatformwordpress Version < 2.7.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Privacy Policy Generator – WPLP Legal Pages
Version
[*, 2.7.1)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.59% | 0.436 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://wpscan.com/vulnerability/47df802d-5200-484b-959c-9f569edf992e
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e85adbd-7e82-4949-916b-20aba1f97bf1