Main Vulnerability Database Vulnerabilities #VU47432

#VU47432 Improper access control in HyperComments

Published: October 8, 2020

Vulnerability identifier: #VU47432

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
HyperComments

Software vendor:
Alexandr Bazyk

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected plugin does not validate and sanitise user input which is being concatenated to create a file path, passed to unlink(). A remote attacker can bypass implemented security restrictions and cause arbitrary file deletion.

Remediation

Install updates from vendor's website.

External links

https://wpvulndb.com/vulnerabilities/10423/
https://lenonleite.com.br/en/2018/01/08/13-17-wordpress-plugins-with-over-150000-270000-active-downloads-with-the-same-security-issues/