Vulnerability Description
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wedevs | Wp User Frontend | < 3.5.26 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQExploitThird Party AdvisoryVDB Entry
- https://plugins.trac.wordpress.org/changeset/2648715PatchThird Party Advisory
- https://wpscan.com/vulnerability/6d3eeba6-5560-4380-a6e9-f008a9112ac6ExploitThird Party Advisory
- http://packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQExploitThird Party AdvisoryVDB Entry
- https://plugins.trac.wordpress.org/changeset/2648715PatchThird Party Advisory
- https://wpscan.com/vulnerability/6d3eeba6-5560-4380-a6e9-f008a9112ac6ExploitThird Party Advisory
FAQ
What is CVE-2021-25076?
CVE-2021-25076 is a vulnerability with a CVSS score of 8.8 (HIGH). The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due ...
How severe is CVE-2021-25076?
CVE-2021-25076 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25076?
Check the references section above for vendor advisories and patch information. Affected products include: Wedevs Wp User Frontend.