CVE Vulnerability

CVE-2021-24997

The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user

6.4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://wpscan.com/vulnerability/747e6c7e-a167-4d82-b6e6-9e8613f0e900 Exploit Third Party Advisory
https://github.com/Keyvanhardani/WP-Guppy-A-live-chat-WP-JSON-API-Sensitive-Information-Disclosure Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:wp-guppy:wp_guppy:*:*:*:*:*:wordpress:*:*
Information

Published : 2021-12-27 11:15

Updated : 2022-01-07 05:08

NVD link : CVE-2021-24997

Mitre link : CVE-2021-24997

Products Affected
No products.
CWE
CWE-862