logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access

Description

The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes

Proof of Concept

As a contributor, put the following shortcode in a post/page [otheruserinfo login="admin" field="user_pass"][/otheruserinfo]

Affects Plugins

user-meta-shortcodes

No known fix - plugin closed

References

CVE

CVE-2021-24859

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

francecarlucci

Verified

Yes

WPVDB ID

958f44a5-07e7-4349-9212-2a039a082ba0

Timeline

Publicly Published

2021-11-15 (about 19 days ago)

Added

2021-11-15 (about 19 days ago)

Last Updated

2021-11-15 (about 19 days ago)

Our Other Services

WPScan WordPress Security Plugin