CVE-2021-24890

Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload

CVSS 8.8 HIGHEPSS 0.5%CWE-352 CWE-862

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

26 sep 2022Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Productos afectados

Unknown · scripts-organizer

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://dplugins.com/products/scripts-organizer/https://wpscan.com/vulnerability/f3b450d2-84ce-4c13-ad6a-b60785dee7e7