CVE-2021-42360

Exploit

EPSS 0.17%
Veröffentlicht 17.11.2021 18:15:08
Zuletzt bearbeitet 21.11.2024 06:27:39
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Starter Templates — Elementor, Gutenberg & Beaver Builder Templates <= 2.7.0 - Missing Authorization to Stored Cross-Site Scripting

On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite. Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

Mögliche Gegenmaßnahme

Starter Templates – AI-Powered Templates for Elementor & Gutenberg: Update to version 2.7.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 4 CWE 3 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Starter Templates – AI-Powered Templates for Elementor & Gutenberg

Version *-2.7.0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Brainstormforce ≫ Starter Templates SwPlatformwordpress Version <= 2.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.39

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security@wordfence.com	7.6	2.8	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-99 Improper Control of Resource Identifiers ('Resource Injection')

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vulnerability-in-starter-templates-plugin/

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/cf4f3f5e-28f7-492c-9d54-4826826bd904

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-42360

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-42360

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-42360

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-42360