Unknown · Accessally · CVE-2021-24226
Name of the Vulnerable Software and Affected Versions:
AccessAlly versions prior to 3.5.7
Description:
The issue is related to the leakage of environment variables due to the dumping of `serialize($ SERVER)` in the `resource/frontend/product/product-shortcode.php` file. This file is responsible for the `[accessally order form]` shortcode. The leakage occurs on all public-facing pages that contain this shortcode and does not require any login or administrator role.
Recommendations:
For versions prior to 3.5.7, update to version 3.5.7 or later to resolve the issue. As a temporary workaround, consider removing or restricting access to the `[accessally order form]` shortcode on public-facing pages until the update is applied.