FKIE_CVE-2021-4444

Vulnerability from fkie_nvd - Published: 2024-10-16 07:15 - Updated: 2024-10-16 16:38
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new filters and injecting malicious javascript into a vulnerable site. This was actively exploited at the time of discovery.
References
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2527958%40woo-product-filter&new=2527958%40woo-product-filter&sfp_email=&sfph_mail=
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/30b6b0bf-e632-4e83-89ee-a424382534da?source=cve
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new filters and injecting malicious javascript into a vulnerable site. This was actively exploited at the time of discovery."
    },
    {
      "lang": "es",
      "value": "El complemento Product Filter de WooBeWoo para WordPress es vulnerable a la omisi\u00f3n de autorizaci\u00f3n en versiones hasta la 1.4.9 incluida, debido a la falta de comprobaciones de autorizaci\u00f3n en varias funciones. Esto hace posible que atacantes no autenticados realicen acciones no autorizadas, como crear nuevos filtros e inyectar JavaScript malicioso en un sitio vulnerable. Esto se explot\u00f3 activamente en el momento del descubrimiento."
    }
  ],
  "id": "CVE-2021-4444",
  "lastModified": "2024-10-16T16:38:14.557",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-16T07:15:09.960",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2527958%40woo-product-filter\u0026new=2527958%40woo-product-filter\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30b6b0bf-e632-4e83-89ee-a424382534da?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.