The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset/2496238/wp-super-cache | Patch Third Party Advisory |
https://wpscan.com/vulnerability/733d8a02-0d44-4b78-bbb2-37e447acd2f3 | Exploit Third Party Advisory |
Configurations
History
07 Nov 2023, 03:31
Type | Values Removed | Values Added |
---|---|---|
CWE |
04 Jul 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Jun 2023, 17:43
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-94 |
12 Apr 2021, 11:55
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 9.0
v3 : 7.2 |
References | (MISC) https://plugins.trac.wordpress.org/changeset/2496238/wp-super-cache - Patch, Third Party Advisory | |
References | (CONFIRM) https://wpscan.com/vulnerability/733d8a02-0d44-4b78-bbb2-37e447acd2f3 - Exploit, Third Party Advisory | |
References | (MISC) https://m0ze.ru/vulnerability/[2021-03-13]-[WordPress]-[CWE-94]-WP-Super-Cache-WordPress-Plugin-v1.7.1.txt - Exploit, Third Party Advisory | |
CWE | CWE-20 | |
CPE | cpe:2.3:a:automattic:wp_super_cache:*:*:*:*:*:wordpress:*:* |
05 Apr 2021, 19:29
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-04-05 19:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-24209
Mitre link : CVE-2021-24209
CVE.ORG link : CVE-2021-24209
JSON object : View
Products Affected
automattic
- wp_super_cache
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')