← Retour aux CVEs
CVE-2021-24405
MEDIUM6.5
Description
The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.
Details CVE
Score CVSS v3.16.5
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie7/6/2021
Derniere modification11/21/2024
Sourcenvd
Observations honeypot0
Produits affectes
izsoft:easy_cookies_policy
Faiblesses (CWE)
CWE-863
References
http://packetstormsecurity.com/files/166543/WordPress-Easy-Cookie-Policy-1.6.2-Cross-Site-Scripting.html(contact@wpscan.com)
https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5(contact@wpscan.com)
http://packetstormsecurity.com/files/166543/WordPress-Easy-Cookie-Policy-1.6.2-Cross-Site-Scripting.html(af854a3a-2127-422b-91ae-364da2661108)
https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5(af854a3a-2127-422b-91ae-364da2661108)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.