Details of VAR-202107-0447

ID

VAR-202107-0447

CVE

CVE-2021-20780

TITLE

WordPress Plugin for WPCS - WordPress Currency Switcher Cross Site Request Forgery Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-000062

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in WPCS - WordPress Currency Switcher 1.1.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. The following person reports this vulnerability information directly to the product developer, and after coordinating with the product developer, the purpose is to inform the product user. JVN It was announced at. Reporter : Tokyo Denki University, Department of Information and Communication Engineering, Cryptographic Protocol / Cryptographic Protocol Laboratory Takagi Izumi Nozomi MrIf a user who is logged in to the product with administrator privileges accesses a specially crafted page, he / she may be forced to perform unintended operations. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers

Trust: 2.34

sources: NVD: CVE-2021-20780 // JVNDB: JVNDB-2021-000062 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-378456 // VULMON: CVE-2021-20780

AFFECTED PRODUCTS

vendor:	wp currency	model:	wordpress currency switcher	scope:	lte	version:	1.1.6	Trust: 1.0
vendor:	realmag777	model:	wpcs - wordpress currency switcher	scope:	eq	version:	-	Trust: 0.8
vendor:	realmag777	model:	wpcs - wordpress currency switcher	scope:	lte	version:	1.1.6 and earlier	Trust: 0.8

sources: JVNDB: JVNDB-2021-000062 // NVD: CVE-2021-20780

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-20780
value:	HIGH
Trust: 1.0
IPA:	JVNDB-2021-000062
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202107-283
value:	HIGH
Trust: 0.6
VULHUB:	VHN-378456
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-20780
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-20780
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
IPA:	JVNDB-2021-000062
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-378456
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-20780
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-000062
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-378456 // VULMON: CVE-2021-20780 // JVNDB: JVNDB-2021-000062 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-283 // NVD: CVE-2021-20780

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.1
problemtype:	Cross-site request forgery (CWE-352) [IPA Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-378456 // JVNDB: JVNDB-2021-000062 // NVD: CVE-2021-20780

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202107-283

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	PluginUs.Net - Business Tools for WordPress and WooCommerce realmag777	url:	https://pluginus.net/	Trust: 0.8
title:	WordPress Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=156140	Trust: 0.6

sources: JVNDB: JVNDB-2021-000062 // CNNVD: CNNVD-202107-283

EXTERNAL IDS

db:	JVN	id:	JVN91372527	Trust: 2.6
db:	NVD	id:	CVE-2021-20780	Trust: 2.6
db:	JVNDB	id:	JVNDB-2021-000062	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021070704	Trust: 0.6
db:	CNNVD	id:	CNNVD-202107-283	Trust: 0.6
db:	CNVD	id:	CNVD-2022-68922	Trust: 0.1
db:	VULHUB	id:	VHN-378456	Trust: 0.1
db:	VULMON	id:	CVE-2021-20780	Trust: 0.1

sources: VULHUB: VHN-378456 // VULMON: CVE-2021-20780 // JVNDB: JVNDB-2021-000062 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-283 // NVD: CVE-2021-20780

REFERENCES

url:	https://jvn.jp/en/jp/jvn91372527/index.html	Trust: 1.8
url:	https://pluginus.net/	Trust: 1.8
url:	https://wordpress.org/plugins/currency-switcher/	Trust: 1.8
url:	https://jvn.jp/jp/jvn91372527/index.html	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021070704	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-20780	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-378456 // VULMON: CVE-2021-20780 // JVNDB: JVNDB-2021-000062 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-283 // NVD: CVE-2021-20780

SOURCES

db:	VULHUB	id:	VHN-378456
db:	VULMON	id:	CVE-2021-20780
db:	JVNDB	id:	JVNDB-2021-000062
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202107-283
db:	NVD	id:	CVE-2021-20780

LAST UPDATE DATE

2024-08-14T12:39:42.938000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-378456	date:	2021-07-10T00:00:00
db:	VULMON	id:	CVE-2021-20780	date:	2021-07-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-000062	date:	2021-07-06T03:08:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202107-283	date:	2021-08-24T00:00:00
db:	NVD	id:	CVE-2021-20780	date:	2021-07-10T02:32:55.870

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-378456	date:	2021-07-07T00:00:00
db:	VULMON	id:	CVE-2021-20780	date:	2021-07-07T00:00:00
db:	JVNDB	id:	JVNDB-2021-000062	date:	2021-07-06T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202107-283	date:	2021-07-07T00:00:00
db:	NVD	id:	CVE-2021-20780	date:	2021-07-07T08:15:07.970