CVE-2021-24997 Information

Description

The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints allowing any user to call them and could lead to sensitive information disclosure such as usernames and chats between users as well as be able to send messages as an arbitrary user

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/747e6c7e-a167-4d82-b6e6-9e8613f0e900 https://github.com/Keyvanhardani/WP-Guppy-A-live-chat-WP-JSON-API-Sensitive-Information-Disclosure

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.5