The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset/2605523/countdown-wpdevart-extended/trunk/includes/admin/coundown_theme_page.php | Patch Third Party Advisory |
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34636 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Wordfence
Published: 2021-09-27T00:00:00
Updated: 2021-09-28T13:53:30
Reserved: 2021-06-10T00:00:00
Link: CVE-2021-34636
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-09-28T14:15:07.897
Modified: 2021-10-02T15:05:34.300
Link: CVE-2021-34636
JSON object: View
Redhat Information
No data.
CWE