CVE-2021-24819 - OpenCVE

The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Page\/post Content Shortcode Project	Page\/post Content Shortcode

Configuration 1 [-]

cpe:2.3:a:page\/post_content_shortcode_project:page\/post_content_shortcode:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/c97b218c-b430-4301-884f-f64d0dd08f07

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-12-13T10:41:02

Updated: 2024-08-03T19:42:17.341Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24819

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-13T11:15:08.857

Modified: 2021-12-16T17:10:21.520

Link: CVE-2021-24819

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Page/Post Content Shortcode", "vendor": "Unknown", "versions": [{"lessThanOrEqual": "1.0", "status": "affected", "version": "1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Francesco Carlucci"}], "descriptions": [{"lang": "en", "value": "The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-13T10:41:02", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/c97b218c-b430-4301-884f-f64d0dd08f07"}], "source": {"discovery": "EXTERNAL"}, "title": "Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24819", "STATE": "PUBLIC", "TITLE": "Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Page/Post Content Shortcode", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.0", "version_value": "1.0"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Francesco Carlucci"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863 Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/c97b218c-b430-4301-884f-f64d0dd08f07", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/c97b218c-b430-4301-884f-f64d0dd08f07"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:42:17.341Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/c97b218c-b430-4301-884f-f64d0dd08f07"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24819", "datePublished": "2021-12-13T10:41:02", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:42:17.341Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:page\\/post_content_shortcode_project:page\\/post_content_shortcode:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F9974642-CAF5-4862-AB06-A12EDA7BAD06", "versionEndIncluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors."}, {"lang": "es", "value": "El plugin Page/Post Content Shortcode de WordPress versiones hasta 1.0, no cuenta con la autorizaci\u00f3n apropiada, permitiendo a usuarios con un rol tan bajo como el de colaborador acceder a posts/p\u00e1ginas borrador/privadas/protegidas por contrase\u00f1a a las que no deber\u00edan tener acceso, incluyendo posts creados por otros usuarios como administradores y editores"}], "id": "CVE-2021-24819", "lastModified": "2021-12-16T17:10:21.520", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-13T11:15:08.857", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/c97b218c-b430-4301-884f-f64d0dd08f07"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "contact@wpscan.com", "type": "Secondary"}]}