Vulnerability Details : CVE-2021-24210
Potential exploit
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it's possible to redirect the victim to any domain.
Vulnerability category: Open redirect
Products affected by CVE-2021-24210
- cpe:2.3:a:kiboit:phastpress:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-24210
18.71%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-24210
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2021-24210
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by:
- contact@wpscan.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2021-24210
-
https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb
Attention Required! | CloudflareExploit;Third Party Advisory
-
https://plugins.trac.wordpress.org/changeset/2497610/
Changeset 2497610 – WordPress Plugin RepositoryPatch;Third Party Advisory
Jump to