CVE-2021-39353

The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajax_add_form function found in the ~/includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
WordfenceCNA
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
easyregistrationformseasy_registration_forms
𝑥
≤ 2.1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/browser/easy-registration-forms/tags/2.1.1/includes/class-form.php#L256
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39353
https://plugins.trac.wordpress.org/browser/easy-registration-forms/tags/2.1.1/includes/class-form.php#L256
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39353