QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2021-25032

Back to search

CVE-2021-25032

Published: Jan 10, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.

VendorProductVersions

Unknown

PublishPress Capabilities – User Role Access, Editor Permissions, Admin Menus

affected
2.0 - < 2.0*
affected
2.3.1 - < 2.3.1

Unknown

PublishPress Capabilities Pro

affected
2.0 - < 2.0*
affected
2.3.1 - < 2.3.1

Weaknesses (CWE)

CWE-352
CWE-862

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now