QwikSec

Security Database

CVE

CWE

Training

CVE-2021-24892

Published: Nov 23, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.

Vendor	Product	Versions
TODO	Advanced Forms Ppro	affected `1.6.9 - < 1.6.9`
TODO	Advanced Forms	affected `1.6.9 - < 1.6.9`

Weaknesses (CWE)

References

https://wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0

x_refsource_MISC

https://github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c562995bc6a994d3a2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.