CVE-2021-24384
JoomSport < 5.1.8 - Unauthenticated PHP Object Injection
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 2.1%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
06 Jul 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →