CVE-2021-24333 (GCVE-0-2021-24333)
Vulnerability from cvelistv5 – Published: 2021-06-01 11:33 – Updated: 2024-08-03 19:28
VLAI
Title
Content Copy Protection & Prevent Image Save <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
Summary
The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them.
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/c722f8d0-f86b-41… | x_refsource_CONFIRM |
| https://m0ze.ru/exploit/csrf-prevent-content-copy… | x_refsource_MISC |
| https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5… | x_refsource_MISC |
| https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Content Copy Protection & Prevent Image Save |
Affected:
1.3 , ≤ 1.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c722f8d0-f86b-41c2-9f1f-48e475e22864"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/exploit/csrf-prevent-content-copy-image-save-v1.3.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-352%5D-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-79%5D-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Content Copy Protection \u0026 Prevent Image Save",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "1.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Content Copy Protection \u0026 Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:33:31.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/c722f8d0-f86b-41c2-9f1f-48e475e22864"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/exploit/csrf-prevent-content-copy-image-save-v1.3.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-352%5D-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-79%5D-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Content Copy Protection \u0026 Prevent Image Save \u003c= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24333",
"STATE": "PUBLIC",
"TITLE": "Content Copy Protection \u0026 Prevent Image Save \u003c= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Content Copy Protection \u0026 Prevent Image Save",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3",
"version_value": "1.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Content Copy Protection \u0026 Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/c722f8d0-f86b-41c2-9f1f-48e475e22864",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/c722f8d0-f86b-41c2-9f1f-48e475e22864"
},
{
"name": "https://m0ze.ru/exploit/csrf-prevent-content-copy-image-save-v1.3.html",
"refsource": "MISC",
"url": "https://m0ze.ru/exploit/csrf-prevent-content-copy-image-save-v1.3.html"
},
{
"name": "https://m0ze.ru/vulnerability/[2021-03-29]-[WordPress]-[CWE-352]-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-03-29]-[WordPress]-[CWE-352]-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt"
},
{
"name": "https://m0ze.ru/vulnerability/[2021-03-29]-[WordPress]-[CWE-79]-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-03-29]-[WordPress]-[CWE-79]-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24333",
"datePublished": "2021-06-01T11:33:31.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-24333",
"date": "2026-05-30",
"epss": "0.00223",
"percentile": "0.4494"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-24333\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2021-06-01T14:15:09.467\",\"lastModified\":\"2024-11-21T05:52:51.820\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Content Copy Protection \u0026 Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them.\"},{\"lang\":\"es\",\"value\":\"El plugin de WordPress Content Copy Protection \u0026amp; Prevent Image Save versiones hasta 1.3, no comprueba un ataque de tipo CSRF al guardar su configuraci\u00f3n, no lleva a cabo ninguna comprobaci\u00f3n y saneamiento en ellos, permitiendo a atacantes hacer que un administrador conectado ajustar cargas \u00fatiles de tipo XSS arbitrarias en ellos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:content_copy_protection_\\\\\u0026_prevent_image_save_project:content_copy_protection_\\\\\u0026_prevent_image_save:*:*:*:*:*:wordpress:*:*\",\"versionEndIncluding\":\"1.3\",\"matchCriteriaId\":\"8AAD60D2-BE7C-458A-A1AE-61362BF91A20\"}]}]}],\"references\":[{\"url\":\"https://m0ze.ru/exploit/csrf-prevent-content-copy-image-save-v1.3.html\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-352%5D-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt\",\"source\":\"contact@wpscan.com\"},{\"url\":\"https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-79%5D-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt\",\"source\":\"contact@wpscan.com\"},{\"url\":\"https://wpscan.com/vulnerability/c722f8d0-f86b-41c2-9f1f-48e475e22864\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://m0ze.ru/exploit/csrf-prevent-content-copy-image-save-v1.3.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-352%5D-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://m0ze.ru/vulnerability/%5B2021-03-29%5D-%5BWordPress%5D-%5BCWE-79%5D-Content-Copy-Protection-Prevent-Image-Save-WordPress-Plugin-v1.3.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://wpscan.com/vulnerability/c722f8d0-f86b-41c2-9f1f-48e475e22864\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…