Vulnerability Description
The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Etoilewebdesign | Ultimate Product Catalog | < 5.0.26 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2650578PatchThird Party Advisory
- https://wpscan.com/vulnerability/514416fa-d915-4953-bf1b-6dbf40b4d7e5ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2650578PatchThird Party Advisory
- https://wpscan.com/vulnerability/514416fa-d915-4953-bf1b-6dbf40b4d7e5ExploitThird Party Advisory
FAQ
What is CVE-2021-24993?
CVE-2021-24993 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them...
How severe is CVE-2021-24993?
CVE-2021-24993 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24993?
Check the references section above for vendor advisories and patch information. Affected products include: Etoilewebdesign Ultimate Product Catalog.