QwikSec

Security Database

CVE

CWE

Training

CVE-2021-24626

Published: Nov 8, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection

Vendor	Product	Versions
Unknown	Chameleon CSS	affected `1.2 - <= 1.2`

Weaknesses (CWE)

References

https://wpscan.com/vulnerability/06cb6c14-99b8-45b6-be2e-f4dcca8a4165

x_refsource_MISC

https://codevigilant.com/disclosure/2021/wp-plugin-chameleon-css/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.