CVE-2021-4394

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published Jul 1, 2023

Updated: Nov 7, 2023

Summary

CVE-2021-4394 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Locations plugin for WordPress. Versions up to and including 3.2.1 are susceptible to this issue. The root cause is the lack of proper nonce validation on the saveCustomFields() function. This weakness enables unauthenticated attackers to manipulate custom field meta data by inducing site administrators to execute malicious requests, such as clicking on a specially crafted link.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/klbGiZ
https://www.cve.org/CVERecord?id=CVE-2021-4394
https://nvd.nist.gov/vuln/detail/CVE-2021-4394

Back to Vulnerability Database

CVE-2021-4394

CVSS 3.1 Score 7.2 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations