CVE-2021-24851

Published: Nov 17, 2021Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.

Affected (1)

Products: Insert Pages Project: Insert Pages

Insert Pages Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Insert Pages Project Insert Pages	Before 3.7.0

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://plugins.trac.wordpress.org/changeset/2614442/insert-pages

Source: contact@wpscan.com

PatchThird Party Advisory

https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83

Source: contact@wpscan.com

ExploitThird Party Advisory

https://plugins.trac.wordpress.org/changeset/2614442/insert-pages

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.