CVE-2021-24814 (GCVE-0-2021-24814)

Vulnerability from cvelistv5 – Published: 2022-02-01 12:21 – Updated: 2024-08-03 19:42
VLAI?
Title
WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting
Summary
The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction).
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Credits
Ace Candelario (@0xspade) Victor Paynat-Sautivet (3DS Outscale SOC)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:42:17.189Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ace Candelario (@0xspade)"
        },
        {
          "lang": "en",
          "value": "Victor Paynat-Sautivet (3DS Outscale SOC)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an \"application/json\" content-type. Since an HTML payload isn\u0027t properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim\u0027s browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-01T12:21:26",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress GDPR \u0026 CCPA \u003c 1.9.26 - Authenticated Reflected Cross-Site Scripting",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-24814",
          "STATE": "PUBLIC",
          "TITLE": "WordPress GDPR \u0026 CCPA \u003c 1.9.26 - Authenticated Reflected Cross-Site Scripting"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Ace Candelario (@0xspade)"
          },
          {
            "lang": "eng",
            "value": "Victor Paynat-Sautivet (3DS Outscale SOC)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an \"application/json\" content-type. Since an HTML payload isn\u0027t properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim\u0027s browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction)."
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2021-24814",
    "datePublished": "2022-02-01T12:21:26",
    "dateReserved": "2021-01-14T00:00:00",
    "dateUpdated": "2024-08-03T19:42:17.189Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:welaunch:wordpress_gdpr\\\\\u0026ccpa:*:*:*:*:*:wordpress:*:*\", \"versionEndIncluding\": \"1.9.26\", \"matchCriteriaId\": \"2C6BF577-87D6-4D7D-A7FB-08D4BB6E5270\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an \\\"application/json\\\" content-type. Since an HTML payload isn\u0027t properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim\u0027s browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction).\"}, {\"lang\": \"es\", \"value\": \"La acci\\u00f3n AJAX check_privacy_settings del plugin GDPR de WordPress versiones anteriores a 1.9.26, disponible tanto para usuarios no autenticados como autenticados, responde con datos JSON sin un tipo de contenido \\\"application/json\\\". Dado que la carga \\u00fatil HTML no es escapada correctamente, puede ser interpretada por un navegador web que conlleve a este endpoint. El c\\u00f3digo Javascript puede ser ejecutado en el navegador de la v\\u00edctima. Si la v\\u00edctima es un administrador con una cookie de sesi\\u00f3n v\\u00e1lida, puede tomar el control total de la instancia de WordPress (las llamadas AJAX y la manipulaci\\u00f3n de iframes son posibles porque el endpoint vulnerable est\\u00e1 en el mismo dominio que el panel de administraci\\u00f3n - no se presenta restricci\\u00f3n del mismo origen)\"}]",
      "id": "CVE-2021-24814",
      "lastModified": "2024-11-21T05:53:48.953",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 9.6, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 6.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2022-02-01T13:15:08.627",
      "references": "[{\"url\": \"https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-24814\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-02-01T13:15:08.627\",\"lastModified\":\"2024-11-21T05:53:48.953\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an \\\"application/json\\\" content-type. Since an HTML payload isn\u0027t properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim\u0027s browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction).\"},{\"lang\":\"es\",\"value\":\"La acci\u00f3n AJAX check_privacy_settings del plugin GDPR de WordPress versiones anteriores a 1.9.26, disponible tanto para usuarios no autenticados como autenticados, responde con datos JSON sin un tipo de contenido \\\"application/json\\\". Dado que la carga \u00fatil HTML no es escapada correctamente, puede ser interpretada por un navegador web que conlleve a este endpoint. El c\u00f3digo Javascript puede ser ejecutado en el navegador de la v\u00edctima. Si la v\u00edctima es un administrador con una cookie de sesi\u00f3n v\u00e1lida, puede tomar el control total de la instancia de WordPress (las llamadas AJAX y la manipulaci\u00f3n de iframes son posibles porque el endpoint vulnerable est\u00e1 en el mismo dominio que el panel de administraci\u00f3n - no se presenta restricci\u00f3n del mismo origen)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:welaunch:wordpress_gdpr\\\\\u0026ccpa:*:*:*:*:*:wordpress:*:*\",\"versionEndIncluding\":\"1.9.26\",\"matchCriteriaId\":\"2C6BF577-87D6-4D7D-A7FB-08D4BB6E5270\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.