CVE-2021-25106 Information

Description

The Privacy Policy Generator Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings allowing any authenticated users such as subscriber to update them. Furthermore due to the lack of sanitisation and escaping it could lead to Stored Cross-Site Scripting

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/47df802d-5200-484b-959c-9f569edf992e

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4