CVE-2021-24635: Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls
First published: Mon Sep 20 2021(Updated: )
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bootstrapped Visual Link Preview | <2.2.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2021-24635?
The severity of CVE-2021-24635 is medium with a CVSS score of 5.4.
How does CVE-2021-24635 affect the Visual Link Preview WordPress plugin?
CVE-2021-24635 affects the Visual Link Preview WordPress plugin version up to 2.2.3.
What can an authenticated user do with CVE-2021-24635?
An authenticated user, such as a subscriber, can exploit CVE-2021-24635 to perform unauthorized actions like accessing Draft posts.
How can I fix CVE-2021-24635?
To fix CVE-2021-24635, update the Visual Link Preview WordPress plugin to version 2.2.3 or later.
Where can I find more information about CVE-2021-24635?
You can find more information about CVE-2021-24635 at the following reference: [https://wpscan.com/vulnerability/854b23d9-e3f8-4835-8d29-140c580f11c9](https://wpscan.com/vulnerability/854b23d9-e3f8-4835-8d29-140c580f11c9)
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/weakness
- agent/severity
- agent/author
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/description
- agent/tags
- agent/source
- vendor/bootstrapped
- canonical/bootstrapped visual link preview