CVE-2021-24635
Last modified
CVE-2021-24635 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL. EPSS estimates a 0.61% chance of exploitation in the next 30 days.
Description
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Bootstrapped | Visual Link Preview | < 2.2.3 |
References
- https://wpscan.com/vulnerability/854b23d9-e3f8-4835-8d29-140c580f11c9Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/854b23d9-e3f8-4835-8d29-140c580f11c9Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24635?
How severe is CVE-2021-24635?
How do I fix CVE-2021-24635?
Are you affected by CVE-2021-24635?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST