Details of VAR-202201-0986

ID

VAR-202201-0986

CVE

CVE-2021-25043

TITLE

WOOCS WordPress Cross-site scripting vulnerability in plugins

Trust: 0.8

sources: JVNDB: JVNDB-2021-017681

DESCRIPTION

The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue. WOOCS WordPress A cross-site scripting vulnerability exists in the plugin.Information may be obtained and information may be tampered with. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. The vulnerability stems from the lack of data validation and filtering of user-provided data and output in the custom_prices parameter. Attackers can exploit this vulnerability to execute JavaScript code on the client

Trust: 1.71

sources: NVD: CVE-2021-25043 // JVNDB: JVNDB-2021-017681 // VULHUB: VHN-383764

AFFECTED PRODUCTS

vendor:	pluginus	model:	woocommerce currency switcher	scope:	lt	version:	1.3.7.3	Trust: 1.0
vendor:	pluginus net	model:	woocommerce currency switcher	scope:	eq	version:	1.3.7.3	Trust: 0.8
vendor:	pluginus net	model:	woocommerce currency switcher	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-017681 // NVD: CVE-2021-25043

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-25043
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-25043
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202201-656
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-383764
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-25043
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-383764
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-25043
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2021-25043
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-383764 // JVNDB: JVNDB-2021-017681 // CNNVD: CNNVD-202201-656 // NVD: CVE-2021-25043

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: VULHUB: VHN-383764 // JVNDB: JVNDB-2021-017681 // NVD: CVE-2021-25043

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-656

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202201-656

PATCH

title:	Changeset 2640621 for woocommerce-currency-switcher WordPress Plugin Directory	url:	https://plugins.trac.wordpress.org/changeset/2640621/woocommerce-currency-switcher	Trust: 0.8
title:	WordPress Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178097	Trust: 0.6

sources: JVNDB: JVNDB-2021-017681 // CNNVD: CNNVD-202201-656

EXTERNAL IDS

db:	NVD	id:	CVE-2021-25043	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-017681	Trust: 0.8
db:	CNNVD	id:	CNNVD-202201-656	Trust: 0.6
db:	CNVD	id:	CNVD-2022-03950	Trust: 0.1
db:	VULHUB	id:	VHN-383764	Trust: 0.1

sources: VULHUB: VHN-383764 // JVNDB: JVNDB-2021-017681 // CNNVD: CNNVD-202201-656 // NVD: CVE-2021-25043

REFERENCES

url:	https://wpscan.com/vulnerability/8601bd21-becf-4809-8c11-d053d1121eae	Trust: 2.5
url:	https://plugins.trac.wordpress.org/changeset/2640621/woocommerce-currency-switcher	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-25043	Trust: 1.4

sources: VULHUB: VHN-383764 // JVNDB: JVNDB-2021-017681 // CNNVD: CNNVD-202201-656 // NVD: CVE-2021-25043

SOURCES

db:	VULHUB	id:	VHN-383764
db:	JVNDB	id:	JVNDB-2021-017681
db:	CNNVD	id:	CNNVD-202201-656
db:	NVD	id:	CVE-2021-25043

LAST UPDATE DATE

2024-08-14T15:42:39.503000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-383764	date:	2022-01-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-017681	date:	2023-01-31T04:49:00
db:	CNNVD	id:	CNNVD-202201-656	date:	2022-03-05T00:00:00
db:	NVD	id:	CVE-2021-25043	date:	2022-01-14T19:46:46.217

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-383764	date:	2022-01-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-017681	date:	2023-01-31T00:00:00
db:	CNNVD	id:	CNNVD-202201-656	date:	2022-01-10T00:00:00
db:	NVD	id:	CVE-2021-25043	date:	2022-01-10T16:15:08.907