The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user
References
Link | Resource |
---|---|
https://github.com/Keyvanhardani/WP-Guppy-A-live-chat-WP-JSON-API-Sensitive-Information-Disclosure | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/747e6c7e-a167-4d82-b6e6-9e8613f0e900 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2021-12-27T10:33:26
Updated: 2021-12-27T10:33:26
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24997
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-12-27T11:15:09.463
Modified: 2022-01-07T17:08:04.540
Link: CVE-2021-24997
JSON object: View
Redhat Information
No data.
CWE