CVE-2021-24192

Published: May 14, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

Affected (1)

Products: Sitemap Project: Sitemap

Sitemap Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sitemap Project Sitemap	Before 2.9

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Source: contact@wpscan.com

ExploitPatchThird Party Advisory

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.