PT-2021-16014 · WordPress · Fileviewer
Jin Huang
+1
·
Published
2021-09-13
·
Updated
2021-09-23
·
CVE-2021-24491
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Fileviewer WordPress plugin versions through 2.2
Description
The issue concerns the lack of CSRF checks in the Fileviewer WordPress plugin, allowing attackers to perform actions such as uploading and deleting files on behalf of a logged-in administrator via a CSRF attack. This could lead to arbitrary file uploads and deletions.
Recommendations
For Fileviewer WordPress plugin versions through 2.2, consider disabling file upload and delete functionality until a patch is available to add CSRF checks. Restrict access to file management features to minimize the risk of exploitation. Avoid using the plugin for sensitive file operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fileviewer