CVE-2021-24770

CWE-863Incorrect AuthorizationCWE-284Improper Access Control3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.3%
top 45.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Stylish Price ListStylishpricelist Stylish Price List
Timeline
PublishedNov 1
Latest updateMay 24

Description

The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5unknown/stylish_price_list6.9.16.9.1

🔴Vulnerability Details

2
GHSA
GHSA-mqx9-j68h-8466: The Stylish Price List WordPress plugin before 62022-05-24
CVEList
Stylish Price List < 6.9.1 - Subscriber+ Arbitrary Image Upload2021-11-01
CVE-2021-24770 (MEDIUM CVSS 6.5) | The Stylish Price List WordPress pl | cvebase.io