CVE-2021-24890
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Unknown | scripts-organizer | 3.0 < 3.0 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
- CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)
ADP Enrichment
CVE Program Container
Additional References
- https://wpscan.com/vulnerability/f3b450d2-84ce-4c13-ad6a-b60785dee7e7
- https://dplugins.com/products/scripts-organizer/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://wpscan.com/vulnerability/f3b450d2-84ce-4c13-ad6a-b60785dee7e7
- https://dplugins.com/products/scripts-organizer/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.