Lucene search

[email protected]NVD:CVE-2021-24651

HistoryOct 11, 2021 - 11:15 a.m.

CVE-2021-24651

2021-10-1111:15:08

CWE-89

CWE-203

[email protected]

web.nvd.nist.gov

poll maker

wordpress

sql injection

unauthenticated users

timing attack

exfiltrate data

password hash

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

68.8%

JSON

The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.

Affected configurations

Nvd

Node

ays-propoll_makerRange<3.4.2wordpress

VendorProductVersionCPE
ays-propoll_maker*cpe:2.3:a:ays-pro:poll_maker:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
ays-pro	poll_maker	*	cpe:2.3:a:ays-pro:poll_maker::::::wordpress::*

References

wpscan.com/vulnerability/24f933b0-ad57-4ed3-817d-d637256e2fb1

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

68.8%

JSON

Related for NVD:CVE-2021-24651

patchstack1 wpvulndb1 cnvd1 cvelist1 wpexploit1 cve1 prion1