CVE-2021-24226
AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage
Vexday Risk Score
18Bajo
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS —EPSS 5.4%KEV nãoPoC —Nuclei simMetasploit —Patch —
Ciclo de vida
12 abr 2021Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required.
Productos afectados
Unknown · AccessAlly¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →