Vulnerability Details CVE-2021-4385
The WP Private Content Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1. This is due to missing or incorrect nonce validation on the save_groups() function. This makes it possible for unauthenticated attackers to add new group members via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 51.5%
CVSS Severity
CVSS v3 Score 8.8
References
- https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2473452%40wp-private-content-plus&new=2473452%40wp-private-content-plus&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/238f6d81-78ba-426c-866a-31f9279e4f99?source=cve
- https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2473452%40wp-private-content-plus&new=2473452%40wp-private-content-plus&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/238f6d81-78ba-426c-866a-31f9279e4f99?source=cve
Products affected by CVE-2021-4385
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:-
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.0
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.1
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.10
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.11
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.12
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.13
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.13.1
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.14
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.15
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.16
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.17
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.18
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.18.1
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.19
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.2
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.20
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.21
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.22
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.23
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.24
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.25
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.26
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.27
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.28
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.29
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.3
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.30
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.31
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.4
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.5
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.6
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.6.1
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.7
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.8
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.9
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:1.9.1
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:2.0
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:2.1
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:2.11
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:2.12
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:2.2
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:2.21
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:2.3
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:2.31
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:3.0
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:3.01
-
cpe:2.3:a:wpexpertdeveloper:wp_private_content_plus:3.1