CVE-2021-24305

{"id": "CVE-2021-24305", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2021-05-24T11:15:08.283", "references": [{"url": "https://wpscan.com/vulnerability/4d55d1f5-a7b8-4029-942d-7a13e2498f64", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://www.targetfirst.com/", "tags": ["Vendor Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/4d55d1f5-a7b8-4029-942d-7a13e2498f64", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.targetfirst.com/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the 'weeWzKey' parameter that will be save as the 'weeID option and is not sanitized."}, {"lang": "es", "value": "El plugin de WordPress Target First versi\u00f3n v2.0, tambi\u00e9n se conoce anteriormente como Watcheezy, sufre una vulnerabilidad cr\u00edtica de tipo XSS almacenado no autenticado. Un atacante podr\u00eda cambiar el valor de la clave de licencia por medio de un POST en cualquier URL con el par\u00e1metro \"weeWzKey\" que se guardar\u00e1 como la opci\u00f3n 'weeID y no es saneado"}], "lastModified": "2024-11-21T05:52:48.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:targetfirst:watcheezy:2.0:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "074A4273-DCFA-4DBA-8FB8-95B7A7EAAE4C"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}