github - ghsa-9ww6-8m5g-5rm3

GHSA-9WW6-8M5G-5RM3

Vulnerability from github – Published: 2022-03-01 00:00 – Updated: 2022-03-17 00:04

Details

The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-25081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-28T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin\u0027s settings via a CSRF attack",
  "id": "GHSA-9ww6-8m5g-5rm3",
  "modified": "2022-03-17T00:04:56Z",
  "published": "2022-03-01T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25081"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2667376"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2021-25081 (GCVE-0-2021-25081)

Vulnerability from cvelistv5 – Published: 2022-02-28 09:06 – Updated: 2024-08-03 19:56

Title

WP Google Map < 1.8.4 - Arbitrary Post Deletion and Plugin's Settings Update via CSRF

Summary

Severity ?

No CVSS data available.

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

WPScan

References

URL

Tags

	https://wpscan.com/vulnerability/f85cf258-1c2f-44…	x_refsource_MISC
	https://plugins.trac.wordpress.org/changeset/2667376	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Unknown	Maps Plugin using Google Maps for WordPress – WP Google Map	Affected: 1.8.4 , < 1.8.4 (custom)

Credits

Krzysztof Zając

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:10.996Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/changeset/2667376"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Maps Plugin using Google Maps for WordPress \u2013 WP Google Map",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "1.8.4",
              "status": "affected",
              "version": "1.8.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Krzysztof Zaj\u0105c"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin\u0027s settings via a CSRF attack"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-28T09:06:35",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://plugins.trac.wordpress.org/changeset/2667376"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WP Google Map \u003c 1.8.4 - Arbitrary Post Deletion and Plugin\u0027s Settings Update via CSRF",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-25081",
          "STATE": "PUBLIC",
          "TITLE": "WP Google Map \u003c 1.8.4 - Arbitrary Post Deletion and Plugin\u0027s Settings Update via CSRF"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Maps Plugin using Google Maps for WordPress \u2013 WP Google Map",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "1.8.4",
                            "version_value": "1.8.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Krzysztof Zaj\u0105c"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin\u0027s settings via a CSRF attack"
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/f85cf258-1c2f-444e-91e5-b1fc55880f0e"
            },
            {
              "name": "https://plugins.trac.wordpress.org/changeset/2667376",
              "refsource": "CONFIRM",
              "url": "https://plugins.trac.wordpress.org/changeset/2667376"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2021-25081",
    "datePublished": "2022-02-28T09:06:35",
    "dateReserved": "2021-01-14T00:00:00",
    "dateUpdated": "2024-08-03T19:56:10.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-9WW6-8M5G-5RM3

CVE-2021-25081 (GCVE-0-2021-25081)

Tags

Sightings

Nomenclature