vulnerability

WordPress Plugin: visual-link-preview: CVE-2021-24635: Improper Access Control

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:S/C:P/I:P/A:N)	Aug 18, 2021	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:N)

Published

Aug 18, 2021

Added

May 15, 2025

Modified

May 15, 2025

Description

The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL

Solution

visual-link-preview-plugin-cve-2021-24635

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-24635
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/012e019f-9146-45bc-b4d7-aa724dbebdc6?source=api-prod
CVE-2021-24635
https://attackerkb.com/topics/CVE-2021-24635

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today