WordPress Plugin Vulnerabilities

Menu Item Visibility Control <= 0.5 - Admin+ Arbitrary PHP Code Execution

Description

The plugin doesn't sanitize and validate the "Visibility logic" option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment.

Proof of Concept

Affects Plugins

Plugin icon
menu-items-visibility-control
No known fix

References

CVE
CVE-2021-24942

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
bl4derunner
Submitter
Anton Sarsadskikh
Verified
Yes
WPVDB ID
eaa28832-74c1-4cd5-9b0f-02338e23b418

Timeline

Publicly Published
2022-11-29 (about 3 years ago)
Added
2022-11-29 (about 3 years ago)
Last Updated
2022-11-29 (about 3 years ago)

Other

Published
Title
Published
2023-01-25
Title
Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
Published
2014-12-30
Title
Cforms & CformsII <= 14.7 - Remote Code Execution via Unauthorised File Upload
Published
2014-08-01
Title
UnGallery - Arbitrary Comm& Execution
Published
2024-05-28
Title
Unlimited Elements for Elementor < 1.5.91 - Contributor+ Remote Code Execution via template import
Published
2014-08-01
Title
PHP Speedy <= 0.5.2 - (admin_container.php) Remote Code Exec Exploit