PT-2022-9640 · WordPress · Advanced Cron Manager
Krzysztof Zając
·
Published
2022-02-07
·
Updated
2022-03-01
·
CVE-2021-25084
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Advanced Cron Manager WordPress plugin versions prior to 2.4.2
Advanced Cron Manager Pro WordPress plugin versions prior to 2.5.3
Description
The issue concerns a lack of authorization checks in some AJAX actions of the affected plugins, allowing any authenticated user to call these actions and potentially add or remove events and schedules.
Recommendations
For Advanced Cron Manager WordPress plugin versions prior to 2.4.2, update to version 2.4.2 or later to resolve the issue.
For Advanced Cron Manager Pro WordPress plugin versions prior to 2.5.3, update to version 2.5.3 or later to resolve the issue.
As a temporary workaround, consider restricting access to the vulnerable AJAX actions until a patch is available.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Advanced Cron Manager