CVE-2021-24890

Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload

CVSS 8.8 HIGHEPSS 0.5%CWE-352 CWE-862

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

26 Sep 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Unknown · scripts-organizer

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://dplugins.com/products/scripts-organizer/https://wpscan.com/vulnerability/f3b450d2-84ce-4c13-ad6a-b60785dee7e7