CVE-2021-44223

Exploit

EPSS 27.49%
Published 25.11.2021 15:15:09
Last modified 21.11.2024 06:30:36
Source cve@mitre.org
Teams watchlist Login
Open Login

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

Affected products Warnungen 0 Metrics 4 CWE 0 References 5

Data is provided by the National Vulnerability Database (NVD)

Wordpress ≫ Wordpress Version < 5.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	27.49%	0.962

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
cve@mitre.org	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/

Vendor Advisory

Release Notes

https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-44223

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-44223

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-44223

EUVD