CVE-2021-4426
The Absolute Reviews plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on the metabox_review_save() function. This makes it possible for unauthenticated attackers to save meta tags via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
We have discovered 49 live websites that are affected by CVE-2021-4426.
Affected Software
| Product |  Absolute Reviews |
| Category | Wordpress Plugins |
| Vulnerable Domains | 49 live websites (2.92% of Absolute Reviews install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 4 versions ( 33% of all versions) |
Details
- Published - Jul 12, 2023
- Updated - Oct 17, 2024
Credits
- Jerome Bruandet (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2021-4426 United States | 11 websites |
 Germany | 9 websites |
 Italy | 4 websites |
 Russia | 4 websites |
 Canada | 2 websites |
 Cyprus | 2 websites |
 Spain | 2 websites |
 France | 2 websites |
 Singapore | 2 websites |
Website Distribution by TLD
Number of websites using CVE-2021-4426| .com | 20 websites |
| .ru | 4 websites |
| .de | 3 websites |
| .org | 3 websites |
| .net | 2 websites |
| .ca | 1 websites |
| .com.au | 1 websites |
| .com.br | 1 websites |
| .fr | 1 websites |
| .nl | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2021-4426
Top websites that are affected by CVE-2021-4426. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.de | Germany | *,***,*** | |
| ******.fm | Germany | *,***,*** | |
| *************.com | Germany | *,***,*** | |
| *********.id | United States | *,***,*** | |
| ***********.org | United States | *,***,*** | |
| ******.com |  China | **,***,*** | |
| *************.com | United States | **,***,*** | |
| *******.us | United States | **,***,*** | |
| ******************.com | Spain | **,***,*** | |
| ****************.**.il |  Israel | **,***,*** |
FAQ
A total of 49 websites have been identified as vulnerable to CVE-2021-4426, based on global website indexing conducted by WebTechSurvey.
The Absolute Reviews is affected by the CVE-2021-4426 vulnerability.
Absolute Reviews versions up to and including 1.0.8 are vulnerable to CVE-2021-4426.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ec1ee47d-020c-482d-ad6f-663d78e624b8?source=cve
- https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2548729%40absolute-reviews&new=2548729%40absolute-reviews&sfp_email=&sfph_mail=