Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.
References
Link | Resource |
---|---|
https://github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c562995bc6a994d3a2 | Patch Third Party Advisory |
https://wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2021-11-23T19:16:23
Updated: 2021-11-23T19:16:23
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24892
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-11-23T20:15:10.463
Modified: 2021-11-29T15:44:11.333
Link: CVE-2021-24892
JSON object: View
Redhat Information
No data.
CWE