Vulnerability Details CVE-2021-24226
In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.254
EPSS Ranking 96.0%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2021-24226
-
cpe:2.3:a:accessally:accessally:-
-
cpe:2.3:a:accessally:accessally:2.0.1
-
cpe:2.3:a:accessally:accessally:3.3.2
-
cpe:2.3:a:accessally:accessally:3.4.0
-
cpe:2.3:a:accessally:accessally:3.5.0
-
cpe:2.3:a:accessally:accessally:3.5.1
-
cpe:2.3:a:accessally:accessally:3.5.2
-
cpe:2.3:a:accessally:accessally:3.5.3
-
cpe:2.3:a:accessally:accessally:3.5.4
-
cpe:2.3:a:accessally:accessally:3.5.6