Vulnerabilities > CVE-2021-24840 - Authorization Bypass Through User-Controlled Key vulnerability in Codesupply Squaretype

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

codesupply

CWE-639

NVD

Published: 2021-11-08

Updated: 2021-11-13

Summary

The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.

Vulnerable Configurations

Part	Description	Count
Application	Codesupply Codesupply Squaretype - Codesupply Squaretype 1.0.0 Codesupply Squaretype 1.0.1 Codesupply Squaretype 1.0.2 Codesupply Squaretype 1.0.3 Codesupply Squaretype 1.0.4 Codesupply Squaretype 1.0.5 Codesupply Squaretype 2.0.0 Codesupply Squaretype 2.0.1 Codesupply Squaretype 2.0.2 Codesupply Squaretype 2.0.3 Codesupply Squaretype 2.0.4 Codesupply Squaretype 2.0.5 Codesupply Squaretype 2.0.6 Codesupply Squaretype 2.0.7 Codesupply Squaretype 2.0.8 Codesupply Squaretype 2.0.9 Codesupply Squaretype 2.1.0 Codesupply Squaretype 2.1.1 Codesupply Squaretype 2.1.2 Codesupply Squaretype 2.1.3 Codesupply Squaretype 3.0.0 Codesupply Squaretype 3.0.1 Codesupply Squaretype 3.0.2 Codesupply Squaretype 3.0.3	25

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://wpscan.com/vulnerability/971302fd-4e8b-4c6a-818f-3a42c7fb83ef