CVE-2021-4377 - OpenCVE

The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capability checks. This can allow authenticated attackers to extract a CSV file that contains sensitive information about the donors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wobbie	Doneren Met Mollie

Configuration 1 [-]

cpe:2.3:a:wobbie:doneren_met_mollie:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://blog.nintechnet.com/information-disclosure-vulnerability-fixed-in-wordpress-doneren-met-mollie-plugin/
https://plugins.trac.wordpress.org/changeset/2459548
https://wpscan.com/vulnerability/36afc442-9634-498e-961e-4c935880cd2b
https://www.wordfence.com/threat-intel/vulnerabilities/id/ed99a056-42c6-4540-950e-12f8b547b64d?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-06-07T01:51:50.247Z

Updated: 2024-08-03T17:23:10.691Z

Reserved: 2023-06-06T13:21:27.643Z

Link: CVE-2021-4377

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-06-07T02:15:15.340

Modified: 2023-11-07T03:40:48.943

Link: CVE-2021-4377

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-4377", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-06-06T13:21:27.643Z", "datePublished": "2023-06-07T01:51:50.247Z", "dateUpdated": "2024-08-03T17:23:10.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-06-07T01:51:50.247Z"}, "affected": [{"vendor": "ndijkstra", "product": "Doneren met Mollie", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capability checks. This can allow authenticated attackers to extract a CSV file that contains sensitive information about the donors."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed99a056-42c6-4540-950e-12f8b547b64d?source=cve"}, {"url": "https://blog.nintechnet.com/information-disclosure-vulnerability-fixed-in-wordpress-doneren-met-mollie-plugin/"}, {"url": "https://plugins.trac.wordpress.org/changeset/2459548"}, {"url": "https://wpscan.com/vulnerability/36afc442-9634-498e-961e-4c935880cd2b"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Information Exposure"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jerome Bruandet"}], "timeline": [{"time": "2021-01-22T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:23:10.691Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed99a056-42c6-4540-950e-12f8b547b64d?source=cve", "tags": ["x_transferred"]}, {"url": "https://blog.nintechnet.com/information-disclosure-vulnerability-fixed-in-wordpress-doneren-met-mollie-plugin/", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/2459548", "tags": ["x_transferred"]}, {"url": "https://wpscan.com/vulnerability/36afc442-9634-498e-961e-4c935880cd2b", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wobbie:doneren_met_mollie:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4C363B38-B1CF-4305-90F8-DA3068DDAF1A", "versionEndIncluding": "2.8.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capability checks. This can allow authenticated attackers to extract a CSV file that contains sensitive information about the donors."}, {"lang": "es", "value": "El plugin Doneren met Mollie para WordPress es vulnerable a la exposici\u00f3n de datos sensibles en versiones hasta la v2.8.5 inclusive, a trav\u00e9s de la funci\u00f3n \"dmm_export_donations()\" que se llama a trav\u00e9s del hook \"admin_post_dmm_export\" debido a la falta de comprobaciones de capacidad. Esto puede permitir a atacantes autenticados extraer un archivo CSV que contiene informaci\u00f3n sensible sobre los donantes."}], "id": "CVE-2021-4377", "lastModified": "2023-11-07T03:40:48.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2023-06-07T02:15:15.340", "references": [{"source": "security@wordfence.com", "tags": ["Exploit"], "url": "https://blog.nintechnet.com/information-disclosure-vulnerability-fixed-in-wordpress-doneren-met-mollie-plugin/"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2459548"}, {"source": "security@wordfence.com", "tags": ["Exploit"], "url": "https://wpscan.com/vulnerability/36afc442-9634-498e-961e-4c935880cd2b"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed99a056-42c6-4540-950e-12f8b547b64d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}