CVE-2021-25014

low-risk
Published 2022-02-14

The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue.

Do I need to act?

-
0.18% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.5/10 Low
NETWORK / LOW complexity

Affected Products (1)

Ibtana

Affected Vendors

Vowelweb

References (2)

Exploit https://wpscan.com/vulnerability/63c58d7f-8e0b-4aa5-b3c8-8726b4f19bf1
Exploit https://wpscan.com/vulnerability/63c58d7f-8e0b-4aa5-b3c8-8726b4f19bf1
22
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal