Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24838

CWE-601Open Redirect4 documents4 sources
Severity
6.1MEDIUM
EPSS
2.3%
top 15.12%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown AnycommentBologer Anycomment
Timeline
PublishedJan 17
Latest updateJan 18

Description

The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/anycomment0.3.50.3.5
NVDbologer/anycomment< 0.3.5

🔴Vulnerability Details

2
GHSA
GHSA-3cq7-3xmj-m7r2: The AnyComment WordPress plugin through 02022-01-18
CVEList
AnyComment < 0.3.5 - Open Redirect2022-01-17

💥Exploits & PoCs

1
Nuclei
WordPress AnyComment <0.3.5 - Open Redirect
CVE-2021-24838 (MEDIUM CVSS 6.1) | The AnyComment WordPress plugin bef | cvebase.io