WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access

Description

The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes

Proof of Concept

As a contributor, put the following shortcode in a post/page [otheruserinfo login="admin" field="user_pass"][/otheruserinfo]

Affects Plugins

user-meta-shortcodes
No known fix - plugin closed

References

CVE
CVE-2021-24859

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website
https://carluc.ci
Submitter twitter
francecarlucci
Verified

Yes

WPVDB ID
958f44a5-07e7-4349-9212-2a039a082ba0

Timeline

Publicly Published

2021-11-15 (about 10 months ago)

Added

2021-11-15 (about 10 months ago)

Last Updated

2022-04-08 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin