CVE-2021-24251 - OpenCVE

The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Strategy11	Business Directory Plugin - Easy Listing Directories

Configuration 1 [-]

cpe:2.3:a:strategy11:business_directory_plugin_-_easy_listing_directories:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://wpscan.com/vulnerability/c9911236-4af3-4557-9bc0-217face534e1	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WPScan

Published: 2021-05-05T18:39:43

Updated: 2021-05-05T18:39:43

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24251

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-06T13:15:11.727

Modified: 2023-11-07T03:31:09.083

Link: CVE-2021-24251

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "Business Directory Plugin \u2013 Easy Listing Directories for WordPress", "vendor": "Business Directory Team", "versions": [{"lessThan": "5.11.2", "status": "affected", "version": "5.11.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "0xB9"}], "descriptions": [{"lang": "en", "value": "The Business Directory Plugin \u2013 Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-05T18:39:43", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wpscan.com/vulnerability/c9911236-4af3-4557-9bc0-217face534e1"}], "source": {"discovery": "UNKNOWN"}, "title": "Business Directory Plugin < 5.11.2 - Arbitrary Payment History Update", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24251", "STATE": "PUBLIC", "TITLE": "Business Directory Plugin < 5.11.2 - Arbitrary Payment History Update"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Business Directory Plugin \u2013 Easy Listing Directories for WordPress", "version": {"version_data": [{"version_affected": "<", "version_name": "5.11.2", "version_value": "5.11.2"}]}}]}, "vendor_name": "Business Directory Team"}]}}, "credit": [{"lang": "eng", "value": "0xB9"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Business Directory Plugin \u2013 Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/c9911236-4af3-4557-9bc0-217face534e1", "refsource": "CONFIRM", "url": "https://wpscan.com/vulnerability/c9911236-4af3-4557-9bc0-217face534e1"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24251", "datePublished": "2021-05-05T18:39:43", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2021-05-05T18:39:43", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:strategy11:business_directory_plugin_-_easy_listing_directories:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D612DCCB-A478-4E37-8A9B-FE81D0603805", "versionEndExcluding": "5.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Business Directory Plugin \u2013 Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)"}, {"lang": "es", "value": "El plugin Business Directory: Easy Listing Directories para WordPress versiones anteriores a 5.11.2, sufr\u00eda un problema de tipo Cross-Site Request Forgery, permitiendo a un atacante hacer que un administrador iniciado sesi\u00f3n actualizara el historial de pagos arbitrario, como cambiar su estado (de pendiente para completar por ejemplo)"}], "id": "CVE-2021-24251", "lastModified": "2023-11-07T03:31:09.083", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-06T13:15:11.727", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/c9911236-4af3-4557-9bc0-217face534e1"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "contact@wpscan.com", "type": "Primary"}]}