CVE-2021-4405
The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
We have discovered 6 live websites that are affected by CVE-2021-4405.
Contact us to get more info
Affected Software
| |
---|
Product | ElasticPress |
Category | Wordpress Plugins |
Vulnerable Versions | |
Total Vulnerable Versions | 8 |
Vulnerable Domains | 6 live websites (15.79% of ElasticPress install base) |