CVE-2021-24814

{"id": "CVE-2021-24814", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2022-02-01T13:15:08.627", "references": [{"url": "https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an \"application/json\" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction)."}, {"lang": "es", "value": "La acci\u00f3n AJAX check_privacy_settings del plugin GDPR de WordPress versiones anteriores a 1.9.26, disponible tanto para usuarios no autenticados como autenticados, responde con datos JSON sin un tipo de contenido \"application/json\". Dado que la carga \u00fatil HTML no es escapada correctamente, puede ser interpretada por un navegador web que conlleve a este endpoint. El c\u00f3digo Javascript puede ser ejecutado en el navegador de la v\u00edctima. Si la v\u00edctima es un administrador con una cookie de sesi\u00f3n v\u00e1lida, puede tomar el control total de la instancia de WordPress (las llamadas AJAX y la manipulaci\u00f3n de iframes son posibles porque el endpoint vulnerable est\u00e1 en el mismo dominio que el panel de administraci\u00f3n - no se presenta restricci\u00f3n del mismo origen)"}], "lastModified": "2022-02-07T20:41:07.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:welaunch:wordpress_gdpr\\&ccpa:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "2C6BF577-87D6-4D7D-A7FB-08D4BB6E5270", "versionEndIncluding": "1.9.26"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}