CVE-2021-24851 - Vulnerability Details - OpenCVE

Description

The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.

Published: 2021-11-17

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

Insert Pages

affected

Version	Status	Constraints
`3.7.0`	affected	< 3.7.0

Configuration 1 [-]

cpe:2.3:a:insert_pages_project:insert_pages:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-11763	The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00186.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/2614442/insert-pages
https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83

History

No history.

Subscriptions

Insert Pages Project Insert Pages

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-11-17T10:15:54.000Z

Updated: 2024-08-03T19:42:17.425Z

Reserved: 2021-01-14T00:00:00.000Z

Link: CVE-2021-24851

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-17T11:15:08.380

Modified: 2024-11-21T05:53:53.280

Link: CVE-2021-24851

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "Insert Pages", "vendor": "Unknown", "versions": [{"lessThan": "3.7.0", "status": "affected", "version": "3.7.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Francesco Carlucci"}], "descriptions": [{"lang": "en", "value": "The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-17T10:15:53.000Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://plugins.trac.wordpress.org/changeset/2614442/insert-pages"}], "source": {"discovery": "EXTERNAL"}, "title": "Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24851", "STATE": "PUBLIC", "TITLE": "Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Insert Pages", "version": {"version_data": [{"version_affected": "<", "version_name": "3.7.0", "version_value": "3.7.0"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Francesco Carlucci"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863 Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83"}, {"name": "https://plugins.trac.wordpress.org/changeset/2614442/insert-pages", "refsource": "CONFIRM", "url": "https://plugins.trac.wordpress.org/changeset/2614442/insert-pages"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:42:17.425Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://plugins.trac.wordpress.org/changeset/2614442/insert-pages"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24851", "datePublished": "2021-11-17T10:15:54.000Z", "dateReserved": "2021-01-14T00:00:00.000Z", "dateUpdated": "2024-08-03T19:42:17.425Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:insert_pages_project:insert_pages:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "389FA8BF-8744-4782-B3C1-75BE271FE080", "versionEndExcluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue."}, {"lang": "es", "value": "El plugin Insert Pages de WordPress versiones anteriores a 3.7.0, permite a usuarios con un rol tan bajo como el de Colaborador acceder al contenido y a los metadatos de publicaciones/p\u00e1ginas arbitrarias, independientemente de su autor y estado (es decir, privado), usando un shortcode. Las entradas/p\u00e1ginas protegidas con contrase\u00f1a no est\u00e1n afectadas por este problema"}], "id": "CVE-2021-24851", "lastModified": "2024-11-21T05:53:53.280", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-17T11:15:08.380", "references": [{"source": "contact@wpscan.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/changeset/2614442/insert-pages"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/changeset/2614442/insert-pages"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/919e67a1-3a50-4940-bb4f-5c5cc2017a83"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "contact@wpscan.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}