CVE-2021-24226: AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-24226

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

Source: NVD (National Vulnerability Database)

Vulnerability Description

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

WordPress 插件信息泄露漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WordPress是WordPress（Wordpress）基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 AccessAlly WordPress插件 3.5.7版本之前存在信息泄露漏洞，该漏洞源于插件中负责[accessally_order_form]短代码的文件“ resource / frontend / product / product-shortcode.php”正在转储包含所有环境变量的serialize（$ _ SERVER）。在包含

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Unknown	AccessAlly	3.5.6 ~ 3.5.6*	-

II. Public POCs for CVE-2021-24226

#	POC Description	Source Link	Shenlong Link
1	WordPress AccessAlly plugin before 3.5.7 allows sensitive information leakage because the file \"resource/frontend/product/product-shortcode.php\" (which is responsible for the [accessally_order_form] shortcode) dumps serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, and no login or administrator role is required.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24226.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-24226

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: AccessAlly

CVE-2020-36875
AccessAlly < 3.3.2 Unauthenticated Arbitrary PHP Code Execut

Same vendor: Unknown

Same weakness: CWE-200

V. Comments for CVE-2021-24226

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2021-24226

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2021-24226

III. Intelligence Information for CVE-2021-24226

IV. Related Vulnerabilities

V. Comments for CVE-2021-24226

Leave a comment