CVE-2021-24890 The Scripts Organizer plugin before 3.0 had no capability for CSRF checks or validation of user input, which could allow unauthentic attacks.

which will be executed the next time the file is loaded by WordPress. This could allow for a wide range of attacks, including SQL injection, cross-site scripting, or installation of malicious code via other vectors. Update to version 3.0 or later will enable CSRF protection for all actions, which will protect against this issue. In addition, the Scripts Organizer WordPress plugin before 3.0 does not have capability to check if the user is an administrator, which could allow an attacker to put malicious code in a file that would be run with administrator privileges, which could allow the attacker to take over the site or install malicious code in administrator privileges.

2.9 – Security Vulnerability in the Code of the WordPress Plugin

This issue is rated as a Medium severity due to the likelihood of an attacker exploiting this vulnerability to conduct a cross-site scripting (XSS) attack on users of the Scripts Organizer WordPress plugin.

In version 2.6 of the Scripts Organizer WordPress plugin, the code will print a warning message if the administrator’s email is not set, which could allow an attacker to craft a malicious email and send it to the administrator to exploit this vulnerability. Update the Scripts Organizer WordPress plugin to version 2.7 or later to fix this vulnerability.

2.10 – Unsafe Redirection of Users

The Scripts Organizer WordPress plugin has a redirection feature, which could allow an attacker to redirect a

How Does The Scripts Organizer Plugin Work?

The Scripts Organizer WordPress plugin is a project management plugin that allows users to manage their scripts and files within WordPress. The software allows the user to manage their scripts and files in a single dashboard without having to leave the browser or change tabs. Users of the software can add, edit, delete, and organize their scripts through this dashboard.

The Scripts Organizer WordPress plugin does not have protection for Cross-Site Request Forgery (CSRF), which could allow an attacker to put malicious code in a file that would be run with administrator privileges, which could allow the attacker to take over the site or install malicious code in administrator privileges.

Timeline

Published on: 09/26/2022 13:15:00 UTC
Last modified on: 09/28/2022 16:47:00 UTC

References

• https://dplugins.com/products/scripts-organizer/
• https://wpscan.com/vulnerability/f3b450d2-84ce-4c13-ad6a-b60785dee7e7
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24890