Vulnerability Description
The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Magazine3 | Pwa For Wp \& Amp | < 1.7.33 |
Related Weaknesses (CWE)
References
- https://blog.nintechnet.com/wordpress-pwa-for-wp-and-amp-plugin-fixed-vulnerabilExploitThird Party Advisory
- https://wpscan.com/vulnerability/b38a51d7-375e-4cca-88ba-ccab796ac134Third Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9892dd1-3939-41a9-a82Third Party Advisory
- https://blog.nintechnet.com/wordpress-pwa-for-wp-and-amp-plugin-fixed-vulnerabilExploitThird Party Advisory
- https://wpscan.com/vulnerability/b38a51d7-375e-4cca-88ba-ccab796ac134Third Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9892dd1-3939-41a9-a82Third Party Advisory
FAQ
What is CVE-2021-4366?
CVE-2021-4366 is a vulnerability with a CVSS score of 6.3 (MEDIUM). The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1....
How severe is CVE-2021-4366?
CVE-2021-4366 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-4366?
Check the references section above for vendor advisories and patch information. Affected products include: Magazine3 Pwa For Wp \& Amp.