Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls
CVE-2021-24635

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Visual Link Preview
Vendor: CVE Published:; 20 September 2021

What is CVE-2021-24635?

The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL

Affected Version(s)

Visual Link Preview 2.2.3

References

https://wpscan.com/vulnerability/854b23d9-e3f8-4835-8d29-...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 20, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

apple502j

JSON