CVE-2021-4405




The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


We have discovered 6 live websites that are affected by CVE-2021-4405.

Contact us to get more info



Affected Software

Product  ElasticPress
Category Wordpress Plugins
Vulnerable Versions
  • from 0 through 3.5.3
Total Vulnerable Versions8
Vulnerable Domains6 live websites (15.79% of ElasticPress install base)



Details

  • Published - Jul 1, 2023
  • Updated - Jul 1, 2023

Credits

  • Jerome Bruandet (finder)




Countries

United States1 websites


Hungary2 websites
Singapore2 websites
Netherlands1 websites

TLDs

.com3 websites
.nl1 websites

Vulnerable Versions

Vulnerable versions are highlighted in red


References


Websites affected by CVE-2021-4405

Top websites that are affected by CVE-2021-4405. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
***.***********.com United States***,***
*****************.nl Netherlands***,***
***.***********.com Singapore*,***,***
************.com Singapore*,***,***
*******.****.hu Hungary*,***,***
*******.****.hu Hungary*,***,***
See full domain list