This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Critical Access Control Error in WordPress Plugin 'Pinterest Automatic'. π **Consequences**: Unauthenticated attackers can bypass authorization.β¦
π‘οΈ **CWE**: CWE-284 (Improper Access Control). π **Flaw**: Missing capability checks on the `wp_pinterest_automatic_parse_request` function and `process_form.php` script.β¦
π¦ **Vendor**: ValvePress. π± **Product**: Pinterest Automatic (WordPress Plugin). π **Affected Versions**: Up to and including version **1.14.3**. π
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Attackers can create **new administrative user accounts** without authentication. π **Data/Impact**: They can update arbitrary site options, potentially redirecting unsuspecting visitors to malicious siβ¦
π **Threshold**: **LOW**. π **Auth**: **Unauthenticated** (PR:N). No login required. π **Network**: Network accessible (AV:N). π€ **UI**: No user interaction needed (UI:N). Easy to exploit. π
Q6Is there a public Exp? (PoC/Wild Exploitation)
β **Yes**. π **PoC**: Public Nuclei template available on GitHub (projectdiscovery/nuclei-templates). π **Exploitation**: Wild exploitation is likely due to the simplicity of the bypass and lack of auth requirements. π·οΈ
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for the presence of `process_form.php` or the `wp_pinterest_automatic_parse_request` function. π οΈ **Tool**: Use Nuclei with the specific CVE-2021-4380 template. π **Indicator**: Check if the plugin versβ¦
π§ **Workaround**: If patching is delayed, **disable or delete** the 'Pinterest Automatic' plugin immediately. π **Alternative**: Restrict access to `process_form.php` via `.htaccess` or WAF rules if the plugin must remaiβ¦