CVE-2021-25042 Information

Description

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action allowing any authenticated user to call it or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore due to the lack of validation sanitisation and escaping users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/05b9e478-2d3b-4460-88c1-7f81d3a68ac4

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4