AccessAlly < 3.5.7 – $_SERVER Superglobal Leakage | CVE 2021-24226

Description

In the plugin, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required.

AccessAlly 3.5.7 resolved the issue.

Proof of Concept

curl -s https://example.com | grep '<div id="accessally-testing-data"'

Affects Plugins

accessally

Fixed in 3.5.7

References

CVE

CVE-2021-24226

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

7.5 (high)

Miscellaneous

Original Researcher

Till Krüss

Submitter

Till Krüss

Submitter website

https://till.im

Submitter twitter

tillkruss

Verified

Yes

WPVDB ID

8e3e89fd-e380-4108-be23-00e87fbaad16

Timeline

Publicly Published

2021-03-26 (about 4 years ago)

Added

2021-03-26 (about 4 years ago)

Last Updated

2021-04-03 (about 4 years ago)

Other

Published

Title

Published

2024-10-10

Title

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce < 5.6.12 - Authenticated (Contributor+) Sensitive Information Exposure via content_template

Published

2025-01-30

Title

Order Export for WooCommerce < 3.25 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

Published

2024-05-10

Title

Shopping Cart & eCommerce Store < 5.6.5 - Sensitive Information Exposure

Published

2024-12-26

Title

Barcode Generator for WooCommerce – Show barcodes on products, orders, invoices and other pages < 2.0.3 - Authenticated (Subscriber+) Sensitive Information Disclosure

Published

2025-09-27

Title

WP Popup Builder <= 1.3.6 - Unauthenticated Information Exposure