CVE-2021-25081 (GCVE-0-2021-25081)

Vulnerability from cvelistv5 – Published: 2022-02-28 09:06 – Updated: 2024-08-03 19:56
VLAI?
Title
WP Google Map < 1.8.4 - Arbitrary Post Deletion and Plugin's Settings Update via CSRF
Summary
The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack
Severity ?
No CVSS data available.
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
Vendor Product Version
Unknown Maps Plugin using Google Maps for WordPress – WP Google Map Affected: 1.8.4 , < 1.8.4 (custom)
Create a notification for this product.
Credits
Krzysztof Zając
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:10.996Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/changeset/2667376"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Maps Plugin using Google Maps for WordPress \u2013 WP Google Map",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "1.8.4",
              "status": "affected",
              "version": "1.8.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Krzysztof Zaj\u0105c"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin\u0027s settings via a CSRF attack"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-28T09:06:35",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://plugins.trac.wordpress.org/changeset/2667376"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WP Google Map \u003c 1.8.4 - Arbitrary Post Deletion and Plugin\u0027s Settings Update via CSRF",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-25081",
          "STATE": "PUBLIC",
          "TITLE": "WP Google Map \u003c 1.8.4 - Arbitrary Post Deletion and Plugin\u0027s Settings Update via CSRF"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Maps Plugin using Google Maps for WordPress \u2013 WP Google Map",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "1.8.4",
                            "version_value": "1.8.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Krzysztof Zaj\u0105c"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin\u0027s settings via a CSRF attack"
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e"
            },
            {
              "name": "https://plugins.trac.wordpress.org/changeset/2667376",
              "refsource": "CONFIRM",
              "url": "https://plugins.trac.wordpress.org/changeset/2667376"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2021-25081",
    "datePublished": "2022-02-28T09:06:35",
    "dateReserved": "2021-01-14T00:00:00",
    "dateUpdated": "2024-08-03T19:56:10.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:wpgooglemap:wp_google_map:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"1.8.4\", \"matchCriteriaId\": \"CE7FB7D4-CC42-4D3E-9ADE-90ACC5EF53F6\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin\u0027s settings via a CSRF attack\"}, {\"lang\": \"es\", \"value\": \"El plugin Maps usando Google Maps para WordPress versiones anteriores a 1.8.4 no presenta comprobaciones CSRF en la mayor\\u00eda de sus acciones AJAX, lo que podr\\u00eda permitir a atacantes hacer que los administradores con sesi\\u00f3n iniciada eliminen entradas arbitrarias y actualicen la configuraci\\u00f3n del plugin por medio de un ataque CSRF\"}]",
      "id": "CVE-2021-25081",
      "lastModified": "2024-11-21T05:54:18.860",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2022-02-28T09:15:08.627",
      "references": "[{\"url\": \"https://plugins.trac.wordpress.org/changeset/2667376\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/2667376\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"contact@wpscan.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-25081\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-02-28T09:15:08.627\",\"lastModified\":\"2024-11-21T05:54:18.860\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin\u0027s settings via a CSRF attack\"},{\"lang\":\"es\",\"value\":\"El plugin Maps usando Google Maps para WordPress versiones anteriores a 1.8.4 no presenta comprobaciones CSRF en la mayor\u00eda de sus acciones AJAX, lo que podr\u00eda permitir a atacantes hacer que los administradores con sesi\u00f3n iniciada eliminen entradas arbitrarias y actualicen la configuraci\u00f3n del plugin por medio de un ataque CSRF\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wpgooglemap:wp_google_map:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"1.8.4\",\"matchCriteriaId\":\"CE7FB7D4-CC42-4D3E-9ADE-90ACC5EF53F6\"}]}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/changeset/2667376\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://plugins.trac.wordpress.org/changeset/2667376\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.