CVE-2021-25018
PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS
Severity Score
5.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues
El plugin PPOM for WooCommerce de WordPress versiones anteriores a 24.0, no presenta comprobaciones de autorización y CSRF en la acción AJAX ppom_settings_panel_action, permitiendo a cualquier autenticado llamarla y establecer configuraciones arbitrarias. Además, debido a una falta de saneo y escape, podría conllevar a problemas de tipo XSS Almacenado
*Credits:
Krzysztof Zając
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-01-14 CVE Reserved
- 2022-01-17 CVE Published
- 2023-09-07 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/9e092aad-0b36-45a9-8987-8d904b34fbb2 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Najeebmedia Search vendor "Najeebmedia" | Ppom For Woocommerce Search vendor "Najeebmedia" for product "Ppom For Woocommerce" | < 24.0 Search vendor "Najeebmedia" for product "Ppom For Woocommerce" and version " < 24.0" | wordpress |
Affected
| ||||||