CVE-2021-24501 - Vulnerability Details - OpenCVE

The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00294.

Key SSVC decision points have not yet been added.

Vendors	Products
Amentotech	Workreap

Configuration 1 [-]

cpe:2.3:a:amentotech:workreap:*:*:*:*:*:wordpress:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-11413	The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/
https://wpscan.com/vulnerability/66e4aaf4-5ef7-4da8-a45c-e24f449c363e

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-08-09T10:04:09

Updated: 2024-08-03T19:35:19.963Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24501

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-09T10:15:07.553

Modified: 2024-11-21T05:53:11.397

Link: CVE-2021-24501

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Workreap", "vendor": "Unknown", "versions": [{"lessThan": "2.2.2", "status": "affected", "version": "2.2.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Harald Eilertsen (Jetpack)"}], "descriptions": [{"lang": "en", "value": "The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-283", "description": "CWE-283 Unverified Ownership", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-09T10:04:09", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/"}, {"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/66e4aaf4-5ef7-4da8-a45c-e24f449c363e"}], "source": {"discovery": "UNKNOWN"}, "title": "Workreap theme < 2.2.2 - Missing Authorization Checks in Ajax Actions", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24501", "STATE": "PUBLIC", "TITLE": "Workreap theme < 2.2.2 - Missing Authorization Checks in Ajax Actions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Workreap", "version": {"version_data": [{"version_affected": "<", "version_name": "2.2.2", "version_value": "2.2.2"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Harald Eilertsen (Jetpack)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-283 Unverified Ownership"}]}, {"description": [{"lang": "eng", "value": "CWE-862 Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/", "refsource": "MISC", "url": "https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/"}, {"name": "https://wpscan.com/vulnerability/66e4aaf4-5ef7-4da8-a45c-e24f449c363e", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/66e4aaf4-5ef7-4da8-a45c-e24f449c363e"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:35:19.963Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/66e4aaf4-5ef7-4da8-a45c-e24f449c363e"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24501", "datePublished": "2021-08-09T10:04:09", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:35:19.963Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amentotech:workreap:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "765DAFC3-F01C-4AF6-B0B5-94CCECE97AE2", "versionEndExcluding": "2.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site."}, {"lang": "es", "value": "El tema de Workreap WordPress versiones anteriores a 2.2.2, presentaban varias acciones AJAX que carec\u00edan de comprobaciones de autorizaci\u00f3n para verificar que un usuario estaba autorizado a llevar a cabo operaciones cr\u00edticas como la modificaci\u00f3n o la eliminaci\u00f3n de objetos. Esto permit\u00eda a un usuario conectado modificar o eliminar objetos pertenecientes a otros usuarios del sitio"}], "id": "CVE-2021-24501", "lastModified": "2024-11-21T05:53:11.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-09T10:15:07.553", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/66e4aaf4-5ef7-4da8-a45c-e24f449c363e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/66e4aaf4-5ef7-4da8-a45c-e24f449c363e"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-283"}, {"lang": "en", "value": "CWE-862"}], "source": "contact@wpscan.com", "type": "Secondary"}]}