CVE-2021-25075

Published: 21/02/2022 Updated: 28/02/2022

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

CVSS v3 Base Score: 3.5 | Impact Score: 1.4 | Exploitability Score: 2.1

VMScore: 312

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

The Duplicate Page or Post WordPress plugin prior to 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues

Vulnerable Product	Search on Vulmon	Subscribe to Product
wpdevart duplicate page or post

A proof-of-concept WordPress plugin fuzzer

wpgarlic A proof-of-concept WordPress plugin fuzzer that led to the discovery of more than 250 vulnerabilities in WordPress plugins installed on around 20 million sites The used technique is described in kazetcc/2022/02/03/fuzzing-wordpress-pluginshtml If you want to continue the research, start with less popular plugins - if a plugin achieved at least 10k active ins

CWE-862 https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b https://nvd.nist.gov https://github.com/kazet/wpgarlic

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-25075

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect