User Meta Shortcodes <= 0.5 – Contributor+ Unauthorized Arbitrary User Metadata Access | CVE 2021-24859

Description

The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes

Proof of Concept

As a contributor, put the following shortcode in a post/page [otheruserinfo login="admin" field="user_pass"][/otheruserinfo]

Affects Plugins

user-meta-shortcodes

No known fix

References

CVE

CVE-2021-24859

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

7.6 (high)

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

francecarlucci

Verified

Yes

WPVDB ID

958f44a5-07e7-4349-9212-2a039a082ba0

Timeline

Publicly Published

2021-11-15 (about 2 years ago)

Added

2021-11-15 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2021-03-30

Title

Controlled Admin Access < 1.5.6 - Improper Access Control to Privilege Escalation

Published

2023-12-14

Title

WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS

Published

2024-03-04

Title

Maintenance Mode < 3.0.2 - Unauthenticated Post/Page Content Disclosure

Published

2021-07-12

Title

Frontend File Manager < 18.3 - Privilege Escalation

Published

2023-04-25

Title

REST API TO MiniProgram <= 4.6.9 - Subscriber+ Attachment Deletion