User Meta Shortcodes <= 0.5 – Contributor+ Unauthorized Arbitrary User Metadata Access | CVE 2021-24859

Description

The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes

Proof of Concept

As a contributor, put the following shortcode in a post/page [otheruserinfo login="admin" field="user_pass"][/otheruserinfo]

Affects Plugins

user-meta-shortcodes

No known fix

References

CVE

CVE-2021-24859

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

7.6 (high)

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

francecarlucci

Verified

Yes

WPVDB ID

958f44a5-07e7-4349-9212-2a039a082ba0

Timeline

Publicly Published

2021-11-15 (about 4 years ago)

Added

2021-11-15 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2021-07-07

Title

WP Upload Restriction < 2.2.5 - Missing Access Control in deleteCustomType

Published

2021-08-06

Title

Welcart e-Commerce < 2.2.8 - Unauthenticated Information Disclosure

Published

2022-08-01

Title

Affiliate For WooCommerce < 4.8.0 - Subscriber+ Unauthorised Actions

Published

2021-03-16

Title

wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover

Published

2020-11-06

Title

WooCommerce < 4.6.2 - Guest Account Creation