CVE-2021-24966

Error Log Viewer Plugin <= 1.1.1 - Admin+ Arbitrary File Clearing

Severity Score

4.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Error Log Viewer WordPress plugin through 1.1.1 does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder

El plugin Error Log Viewer de WordPress versiones hasta 1.1.1, no comprueba la ruta del archivo de registro que va a ser borrada, permitiendo a usuarios con altos privilegios borrar archivos arbitrarios en el servidor web, incluidos los que están fuera de la carpeta del blog

WordPress Error Log Viewer plugin version 1.1.1 suffers from an arbitrary file deletion vulnerability where it can be leveraged to wipe the internal contents of any named file the webserver has permissions to modify.

*Credits: Ceylan Bozogullarindan

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-14 CVE Reserved
2021-11-10 CVE Published
2022-02-16 First Exploit
2023-10-05 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-73: External Control of File Name or Path

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://www.exploit-db.com/exploits/50746	2022-02-16
https://wpscan.com/vulnerability/166a4f88-4f0c-4bf4-b624-5e6a02e21fa0	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bestwebsoft Search vendor "Bestwebsoft"		Error Log Viewer Search vendor "Bestwebsoft" for product "Error Log Viewer"				<= 1.1.1 Search vendor "Bestwebsoft" for product "Error Log Viewer" and version " <= 1.1.1"		wordpress		Affected