Missing Authorization

CVE-2021-25075

Low

3.5/10

Summary

The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-862 - Missing Authorization

The missing authorization vulnerability occurs when a software program allows users to access privileged parts of the program without verifying the user credentials. Impact of such a vulnerability depends on the resources employed by the software, ranging from account takeover to sensitive information exposure, denial of service, and complete system takeover.

References

Advisory Timeline

Published Feb 21, 2022

Missing Authorization

CVE-2021-25075

Summary

CWE-862 - Missing Authorization

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS