Vulnerability Description
The Quick Page/Post Redirect Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the qppr_save_quick_redirect_ajax and qppr_delete_quick_redirect functions in versions up to, and including, 5.1.9. This makes it possible for low-privileged attackers to interact with the plugin settings and to create a redirect link that would forward all traffic to an external malicious website.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Quick Page\/Post Redirect Project | Quick Page\/Post Redirect | <= 5.1.9 |
Related Weaknesses (CWE)
References
- https://blog.nintechnet.com/authenticated-settings-change-vulnerability-in-wordpExploit
- https://wpscan.com/vulnerability/10198Third Party Advisory
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-quick-page-post-reThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/11c4b855-8589-4ad2-b41Third Party Advisory
- https://blog.nintechnet.com/authenticated-settings-change-vulnerability-in-wordpExploit
- https://wpscan.com/vulnerability/10198Third Party Advisory
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-quick-page-post-reThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/11c4b855-8589-4ad2-b41Third Party Advisory
FAQ
What is CVE-2020-36699?
CVE-2020-36699 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Quick Page/Post Redirect Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the qppr_save_quick_redirect_ajax and qppr_delete_quick_redirect functions i...
How severe is CVE-2020-36699?
CVE-2020-36699 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36699?
Check the references section above for vendor advisories and patch information. Affected products include: Quick Page\/Post Redirect Project Quick Page\/Post Redirect.