CVE-2021-24218

State: PUBLISHED · Published: 2021-04-12 · Updated: 2024-08-03 · Assigner: WPScan

Description

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.

CWE

CWE-352 — CWE-352 Cross-Site Request Forgery (CSRF)

Affected

Unknown / Facebook for WordPress — v=3.0.0 <3.0.0* [affected]; v=3.0.4 <3.0.4 [affected]

CVSS

(none)

References

https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/ x_refsource_MISC
https://wpscan.com/vulnerability/169d21fc-d191-46ff-82e8-9ac887aed8a4 x_refsource_CONFIRM

Source

cvelistV5-main/cves/2021/24xxx/CVE-2021-24218.json