VAR-202205-0286
Vulnerability from variot - Updated: 2024-08-14 15:42The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk. All In One WP Security & Firewall WordPress A cross-site scripting vulnerability exists in the plugin.Information may be obtained and information may be tampered with. Both WordPress and WordPress plugins are products of the WordPress Foundation. WordPress is a blogging platform developed using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. A WordPress plugin is an application plugin. The redirect_to parameter is defined, an attacker can exploit this vulnerability to execute JavaScript code on the client
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202205-0286",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "all in one wp security \\\u0026 firewall",
"scope": "lt",
"trust": 1.0,
"vendor": "tipsandtricks hq",
"version": "4.4.11"
},
{
"model": "all in one wp security \u0026 firewall",
"scope": "eq",
"trust": 0.8,
"vendor": "tips and tricks hq",
"version": null
},
{
"model": "all in one wp security \u0026 firewall",
"scope": "eq",
"trust": 0.8,
"vendor": "tips and tricks hq",
"version": "4.4.11"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"db": "NVD",
"id": "CVE-2021-25102"
}
]
},
"cve": "CVE-2021-25102",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"exploitabilityScore": 4.9,
"id": "CVE-2021-25102",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 1.9,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"exploitabilityScore": 4.9,
"id": "VHN-383823",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:N/AC:H/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 1.6,
"id": "CVE-2021-25102",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.7,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2021-25102",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-25102",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2021-25102",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202205-1900",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-383823",
"trust": 0.1,
"value": "LOW"
},
{
"author": "VULMON",
"id": "CVE-2021-25102",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-383823"
},
{
"db": "VULMON",
"id": "CVE-2021-25102"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-1900"
},
{
"db": "NVD",
"id": "CVE-2021-25102"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The All In One WP Security \u0026 Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk. All In One WP Security \u0026 Firewall WordPress A cross-site scripting vulnerability exists in the plugin.Information may be obtained and information may be tampered with. Both WordPress and WordPress plugins are products of the WordPress Foundation. WordPress is a blogging platform developed using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. A WordPress plugin is an application plugin. The redirect_to parameter is defined, an attacker can exploit this vulnerability to execute JavaScript code on the client",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-25102"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"db": "VULHUB",
"id": "VHN-383823"
},
{
"db": "VULMON",
"id": "CVE-2021-25102"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-25102",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010251",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202205-1900",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2022-59805",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-383823",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-25102",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-383823"
},
{
"db": "VULMON",
"id": "CVE-2021-25102"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-1900"
},
{
"db": "NVD",
"id": "CVE-2021-25102"
}
]
},
"id": "VAR-202205-0286",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-383823"
}
],
"trust": 0.01
},
"last_update_date": "2024-08-14T15:42:25.989000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "All-In-One\u00a0Security\u00a0(AIOS)\u00a0-\u00a0Security\u00a0and\u00a0Firewall",
"trust": 0.8,
"url": "https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/"
},
{
"title": "WordPress plugin All In One WP Security \u0026 Firewall Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191234"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-1900"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.1
},
{
"problemtype": "Cross-site scripting (CWE-79) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-383823"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"db": "NVD",
"id": "CVE-2021-25102"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://wpscan.com/vulnerability/9b8a00a6-622b-4309-bbbf-fe2c7fc9f8b6"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-25102"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2021-25102/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-383823"
},
{
"db": "VULMON",
"id": "CVE-2021-25102"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-1900"
},
{
"db": "NVD",
"id": "CVE-2021-25102"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-383823"
},
{
"db": "VULMON",
"id": "CVE-2021-25102"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-1900"
},
{
"db": "NVD",
"id": "CVE-2021-25102"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-02T00:00:00",
"db": "VULHUB",
"id": "VHN-383823"
},
{
"date": "2022-05-02T00:00:00",
"db": "VULMON",
"id": "CVE-2021-25102"
},
{
"date": "2023-08-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"date": "2022-05-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202205-1900"
},
{
"date": "2022-05-02T16:15:08.093000",
"db": "NVD",
"id": "CVE-2021-25102"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-10T00:00:00",
"db": "VULHUB",
"id": "VHN-383823"
},
{
"date": "2022-05-10T00:00:00",
"db": "VULMON",
"id": "CVE-2021-25102"
},
{
"date": "2023-08-14T06:05:00",
"db": "JVNDB",
"id": "JVNDB-2022-010251"
},
{
"date": "2022-05-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202205-1900"
},
{
"date": "2022-05-10T13:14:58.547000",
"db": "NVD",
"id": "CVE-2021-25102"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202205-1900"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "All\u00a0In\u00a0One\u00a0WP\u00a0Security\u00a0\u0026\u00a0Firewall\u00a0WordPress\u00a0 Cross-site scripting vulnerability in plugins",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-010251"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202205-1900"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…