Vulnerability Details CVE-2021-24892
Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.017
EPSS Ranking 81.4%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- https://github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c562995bc6a994d3a2
- https://wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0
- https://github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c562995bc6a994d3a2
- https://wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0
Products affected by CVE-2021-24892
-
cpe:2.3:a:advanced_forms_project:advanced_forms:*