CVE-2021-24824 - Vulnerability Details - OpenCVE

The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Custom Content Shortcode Project	Custom Content Shortcode

Configuration 1 [-]

cpe:2.3:a:custom_content_shortcode_project:custom_content_shortcode:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-31496adc4767

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2022-03-07T08:16:03

Updated: 2024-08-03T19:42:17.203Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24824

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-03-07T09:15:08.147

Modified: 2024-11-21T05:53:50.130

Link: CVE-2021-24824

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Custom Content Shortcode", "vendor": "Unknown", "versions": [{"lessThan": "4.0.1", "status": "affected", "version": "4.0.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Francesco Carlucci"}], "descriptions": [{"lang": "en", "value": "The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-07T08:16:03", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-31496adc4767"}], "source": {"discovery": "EXTERNAL"}, "title": "Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24824", "STATE": "PUBLIC", "TITLE": "Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Custom Content Shortcode", "version": {"version_data": [{"version_affected": "<", "version_name": "4.0.1", "version_value": "4.0.1"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Francesco Carlucci"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863 Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-31496adc4767", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-31496adc4767"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:42:17.203Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-31496adc4767"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24824", "datePublished": "2022-03-07T08:16:03", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:42:17.203Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:custom_content_shortcode_project:custom_content_shortcode:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "57FDBDC1-3F0D-4862-ACBC-8B267498170E", "versionEndExcluding": "4.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved"}, {"lang": "es", "value": "El shortcode [field] incluido en el plugin Custom Content Shortcode de WordPress versiones anteriores a 4.0.1, permite a usuarios autenticados con un rol tan bajo como el de colaborador, acceder a metadatos arbitrarios de la entrada. Esto podr\u00eda conllevar a una divulgaci\u00f3n de datos confidenciales, por ejemplo, cuando es usado en combinaci\u00f3n con WooCommerce, puede recuperarse la direcci\u00f3n de correo electr\u00f3nico de los pedidos"}], "id": "CVE-2021-24824", "lastModified": "2024-11-21T05:53:50.130", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-07T09:15:08.147", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-31496adc4767"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-31496adc4767"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "contact@wpscan.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}