CVE-2021-24226

CVE-2021-24226: AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

Vendor Unknown

Product AccessAlly

Weakness CWE-200 · Info exposure

Published April 12, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required.

Key dates

02Disclosure timeline

April 12, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24226 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2021-24226

CWE CWE-200

Affected versions

Vendor Unknown

Product AccessAlly

Affected ≥ 3.5.6 and < 3.5.6*

Vendor Unknown

Product AccessAlly

Affected ≥ 3.5.7 and < 3.5.7

CVE-2021-24226: AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

01Description

02Disclosure timeline

03References

04Related CVE