← volver
CVE-2021-24626

Chameleon CSS <= 1.2 - Subscriber+ SQL Injection

EPSS 0.7%CWE-352CWE-89
Vexday Risk Score
3Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
08 nov 2021Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection
Productos afectados
Unknown · Chameleon CSS

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://codevigilant.com/disclosure/2021/wp-plugin-chameleon-css/https://wpscan.com/vulnerability/06cb6c14-99b8-45b6-be2e-f4dcca8a4165