Lucene search

[email protected]NVD:CVE-2021-39327

HistorySep 17, 2021 - 11:15 a.m.

CVE-2021-39327

2021-09-1711:15:08

CWE-200

CWE-459

[email protected]

web.nvd.nist.gov

bulletproof security

wordpress plugin

sensitive information disclosure

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.4

Percentile

97.3%

JSON

The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.

Affected configurations

Nvd

Node

ait-probulletproof_securityRange≤5.1wordpress

VendorProductVersionCPE
ait-probulletproof_security*cpe:2.3:a:ait-pro:bulletproof_security:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
ait-pro	bulletproof_security	*	cpe:2.3:a:ait-pro:bulletproof_security::::::wordpress::*

References

packetstormsecurity.com/files/164420/WordPress-BulletProof-Security-5.1-Information-Disclosure.html

github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-39327

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2591118%40bulletproof-security&new=2591118%40bulletproof-security&sfp_email=&sfph_mail=

www.exploit-db.com/exploits/50382

www.wordfence.com/vulnerability-advisories/#CVE-2021-39327