CVE-2021-25106

WPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS

EPSS 0.6%CWE-79

Vexday Risk Score

3Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS —EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

07 feb 2022Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting

Productos afectados

Unknown · Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://wpscan.com/vulnerability/47df802d-5200-484b-959c-9f569edf992e