CVE-2021-25106

{"id": "CVE-2021-25106", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2022-02-07T16:15:45.840", "references": [{"url": "https://wpscan.com/vulnerability/47df802d-5200-484b-959c-9f569edf992e", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting"}, {"lang": "es", "value": "El plugin Privacy Policy Generator, Terms & Conditions Generator : WPLegalPages de WordPress versiones anteriores a 2.7.1, no comprueba la autorizaci\u00f3n y presenta una l\u00f3gica de tipo CSRF fallida cuando guarda sus configuraciones, permitiendo a cualquier usuario autenticado, como el suscriptor, actualizarlas. Adem\u00e1s, debido a una falta de saneo y escape, podr\u00eda conllevar a un ataque de tipo Cross-Site Scripting Almacenado"}], "lastModified": "2022-02-10T21:24:28.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpeka:wplegalpages:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "65080FC8-7CC7-42A7-86D7-894D6A7C99A0", "versionEndExcluding": "2.7.1"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}