CVE-2021-42359— WordPress 访问控制错误漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2021-42359の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
WP DSGVO Tools (GDPR) <= 3.1.23 Unauthenticated Arbitrary Post Deletion
ソース: NVD (National Vulnerability Database)
脆弱性説明
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
访问控制不恰当
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
WordPress 访问控制错误漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress DSGVO Tools 3.1.23及之前版本存在访问控制错误漏洞,该漏洞源于应用缺少能力检查和随机数检查,可供未经身份验证的用户使用,并且在删除取消订阅时不检查帖子类型要求。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| legalweb | WP DSGVO Tools (GDPR) | 3.1.23 ~ 3.1.23 | - |
II. CVE-2021-42359の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|---|---|---|
| 1 | WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-42359.yaml | POC詳細 |
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2021-42359のインテリジェンス情報
请登录查看更多情报信息。
IV. 関連脆弱性
同じ製品: WP DSGVO Tools (GDPR)
同じベンダー: legalweb
- CVE-2026-4283
WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to U - CVE-2026-0914
WP DSGVO Tools (GDPR) <= 3.1.36 - Authenticated (Contributor - CVE-2024-11761
LegalWeb Cloud <= 1.1.2 - Authenticated (Contributor+) Store - CVE-2024-3201
WP DSGVO Tools (GDPR) <= 3.1.32 - Authenticated (Contributor - CVE-2021-4358
WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Stored Cro
同じ弱点: CWE-284
- CVE-2026-8233
Dotouch XproUPF access control - CVE-2026-42569
phpvms: /importer authorization bypass causing full database - CVE-2026-42205
Avo: Broken Access Control: Unauthorized Execution of Arbitr - CVE-2026-41487
Langfuse: Improper role-based-access control in Langfuse LLM - CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets
V. CVE-2021-42359へのコメント
まだコメントはありません