CVE-2021-24289

Published: May 17, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.

Affected (1)

Products: De Baat: Store Locator Plus

De Baat

1 product

Store Locator Plus

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
De Baat Store Locator Plus	Up to 5.5.14

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://wpscan.com/vulnerability/078e93cd-7cf2-4e23-8171-58d44e354d62

Source: contact@wpscan.com

Third Party Advisory

https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin/

Source: contact@wpscan.com

Third Party Advisory

https://wpscan.com/vulnerability/078e93cd-7cf2-4e23-8171-58d44e354d62

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.