CVE-2021-24379

The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client side

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://wpscan.com/vulnerability/aae7a889-195c-45a3-bbe4-e6d4cd2d7fd9	Exploit Third Party Advisory
https://wpscan.com/vulnerability/aae7a889-195c-45a3-bbe4-e6d4cd2d7fd9	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wphappycoders:comments_like_dislike:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 05:52

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/aae7a889-195c-45a3-bbe4-e6d4cd2d7fd9 - Exploit, Third Party Advisory~~	() https://wpscan.com/vulnerability/aae7a889-195c-45a3-bbe4-e6d4cd2d7fd9 - Exploit, Third Party Advisory

Information

Published : 2021-06-21 20:15

Updated : 2024-11-21 05:52

NVD link : CVE-2021-24379

Mitre link : CVE-2021-24379

CVE.ORG link : CVE-2021-24379

JSON object : View

Products Affected

wphappycoders

comments_like_dislike

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2021-24379", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2021-06-21T20:15:09.257", "references": [{"url": "https://wpscan.com/vulnerability/aae7a889-195c-45a3-bbe4-e6d4cd2d7fd9", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/aae7a889-195c-45a3-bbe4-e6d4cd2d7fd9", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client side"}, {"lang": "es", "value": "El plugin Comments Like Dislike de WordPress versiones anteriores a 1.1.4, permite a usuarios dar me gusta/no me gusta a los comentarios publicados, sin embargo no previene que se repita la petici\u00f3n AJAX para a\u00f1adir un like. Esto permite a cualquier usuario (incluso no autentificado) a\u00f1adir un like/dislike ilimitado a cualquier comentario. El plugin parece tener algunos modos de restricci\u00f3n, como la Restricci\u00f3n de Cookies, restricciones de IP, Restricci\u00f3n de Usuarios Registrados, sin embargo, no previenen este ataque ya que s\u00f3lo comprueban el lado del cliente"}], "lastModified": "2024-11-21T05:52:57.073", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wphappycoders:comments_like_dislike:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "E413D7A1-1C54-4B8D-BEA9-93DE9D5D2E3E", "versionEndExcluding": "1.1.4"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}