8.8
CVE-2021-34628
- EPSS 0.7%
- Veröffentlicht 02.08.2021 21:15:08
- Zuletzt bearbeitet 21.11.2024 06:10:50
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginAdmin Custom Login <= 3.2.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Admin Custom Login <= 3.2.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting
The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7.
Mögliche Gegenmaßnahme
Admin Custom Login: Update to version 3.2.8, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Weblizar ≫ Admin Custom Login SwPlatformwordpress Version <= 3.2.7
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Admin Custom Login
Version
*-3.2.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.7% | 0.482 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
| security@wordfence.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://plugins.trac.wordpress.org/browser/admin-custom-login/tags/3.2.7/includes/login-form-setting/login-form-background.php#L686
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34628
https://www.wordfence.com/threat-intel/vulnerabilities/id/349cada2-8154-4429-a47a-1837581da1dc