cbcvebase.
CVE-2021-4428
published 2023-07-18

CVE-2021-4428: A vulnerability has been found in what3words Autosuggest Plugin up to 4.0.0 on WordPress and classified as problematic. Affected by this vulnerability is the…

PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
15.81%
96.5th percentile
A vulnerability has been found in what3words Autosuggest Plugin up to 4.0.0 on WordPress and classified as problematic. Affected by this vulnerability is the function enqueue_scripts of the file w3w-autosuggest/public/class-w3w-autosuggest-public.php of the component Setting Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 4.0.1 is able to address this issue. The patch is named dd59cbac5f86057d6a73b87007c08b8bfa0c32ac. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-234247.

Affected

2 ranges
VendorProductVersion rangeFixed in
what3wordsautosuggest< 4.0.14.0.1
what3wordsautosuggest_plugin

Detection & IOCsextracted from sources · hover to see the quote

pathw3w-autosuggest/public/class-w3w-autosuggest-public.php
hashdd59cbac5f86057d6a73b87007c08b8bfa0c32ac
  • Monitor the enqueue_scripts function in the what3words Autosuggest Plugin's public class file for unexpected information disclosure via the Setting Handler component
  • ·The CVE-2021-4428 identifier is used inconsistently across sources: NVD tracks it as a what3words WordPress plugin information disclosure vulnerability (up to version 4.0.0), while multiple Trend Micro articles incorrectly label it as the Apache Log4Shell (Log4j RCE) vulnerability. The Log4Shell vulnerability is correctly CVE-2021-44228, not CVE-2021-4428.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.03.3LOWAV:N/AC:L/Au:M/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.