The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset/2496238/wp-super-cache | Patch Third Party Advisory |
https://wpscan.com/vulnerability/733d8a02-0d44-4b78-bbb2-37e447acd2f3 | Exploit Third Party Advisory |
https://plugins.trac.wordpress.org/changeset/2496238/wp-super-cache | Patch Third Party Advisory |
https://wpscan.com/vulnerability/733d8a02-0d44-4b78-bbb2-37e447acd2f3 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 05:52
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/changeset/2496238/wp-super-cache - Patch, Third Party Advisory | |
References | () https://wpscan.com/vulnerability/733d8a02-0d44-4b78-bbb2-37e447acd2f3 - Exploit, Third Party Advisory |
07 Nov 2023, 03:31
Type | Values Removed | Values Added |
---|---|---|
CWE |
04 Jul 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Jun 2023, 17:43
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-94 |
Information
Published : 2021-04-05 19:15
Updated : 2024-11-21 05:52
NVD link : CVE-2021-24209
Mitre link : CVE-2021-24209
CVE.ORG link : CVE-2021-24209
JSON object : View
Products Affected
automattic
- wp_super_cache
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')