CVE-2021-39339 - Vulnerability Details - OpenCVE

The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Telefication	Telefication

Configuration 1 [-]

cpe:2.3:a:telefication:telefication:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339

History

Mon, 31 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2021-09-22T10:38:17.540Z

Updated: 2025-03-31T18:20:31.937Z

Reserved: 2021-08-20T00:00:00.000Z

Link: CVE-2021-39339

Vulnrichment

Updated: 2024-08-04T02:06:42.215Z

NVD

Status : Modified

Published: 2021-09-22T11:15:07.503

Modified: 2024-11-21T06:19:16.553

Link: CVE-2021-39339

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Telefication", "vendor": "Telefication", "versions": [{"lessThanOrEqual": "1.8.0", "status": "affected", "version": "1.8.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Marco Wotschka and Charles Strader Sweethill"}], "datePublic": "2021-09-21T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-22T10:38:17.000Z", "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}, {"tags": ["x_refsource_MISC"], "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}], "solutions": [{"lang": "en", "value": "Uninstall plugin."}], "source": {"discovery": "INTERNAL"}, "title": "Telefication <= 1.8.0 Open Proxy and Server-Side Request Forgery", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "Wordfence", "ASSIGNER": "security@wordfence.com", "DATE_PUBLIC": "2021-09-21T15:31:00.000Z", "ID": "CVE-2021-39339", "STATE": "PUBLIC", "TITLE": "Telefication <= 1.8.0 Open Proxy and Server-Side Request Forgery"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Telefication", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.8.0", "version_value": "1.8.0"}]}}]}, "vendor_name": "Telefication"}]}}, "credit": [{"lang": "eng", "value": "Marco Wotschka and Charles Strader Sweethill"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339", "refsource": "MISC", "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}, {"name": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php", "refsource": "MISC", "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}]}, "solution": [{"lang": "en", "value": "Uninstall plugin."}], "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:06:42.215Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T18:20:26.783339Z", "id": "CVE-2021-39339", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T18:20:31.937Z"}}]}, "cveMetadata": {"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "assignerShortName": "Wordfence", "cveId": "CVE-2021-39339", "datePublished": "2021-09-22T10:38:17.540Z", "dateReserved": "2021-08-20T00:00:00.000Z", "dateUpdated": "2025-03-31T18:20:31.937Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:06:42.215Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-39339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T18:20:26.783339Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T18:20:18.338Z"}}], "cna": {"title": "Telefication <= 1.8.0 Open Proxy and Server-Side Request Forgery", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "value": "Marco Wotschka and Charles Strader Sweethill"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Telefication", "product": "Telefication", "versions": [{"status": "affected", "version": "1.8.0", "versionType": "custom", "lessThanOrEqual": "1.8.0"}]}], "solutions": [{"lang": "en", "value": "Uninstall plugin."}], "datePublic": "2021-09-21T00:00:00.000Z", "references": [{"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339", "tags": ["x_refsource_MISC"]}, {"url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2021-09-22T10:38:17.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Marco Wotschka and Charles Strader Sweethill"}], "impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "1.8.0", "version_value": "1.8.0", "version_affected": "<="}]}, "product_name": "Telefication"}]}, "vendor_name": "Telefication"}]}}, "solution": [{"lang": "en", "value": "Uninstall plugin."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339", "name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339", "refsource": "MISC"}, {"url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php", "name": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-39339", "AKA": "Wordfence", "STATE": "PUBLIC", "TITLE": "Telefication <= 1.8.0 Open Proxy and Server-Side Request Forgery", "ASSIGNER": "security@wordfence.com", "DATE_PUBLIC": "2021-09-21T15:31:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-39339", "state": "PUBLISHED", "dateUpdated": "2025-03-31T18:20:31.937Z", "dateReserved": "2021-08-20T00:00:00.000Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2021-09-22T10:38:17.540Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:telefication:telefication:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "E0A5A5B2-59C9-4A40-804A-5EEE2330D07E", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0."}, {"lang": "es", "value": "El plugin Telefication de WordPress es vulnerable a un ataque de tipo Open Proxy y Server-Side Request Forgery por medio del archivo ~/bypass.php debido a un valor de petici\u00f3n de URL suministrado por el usuario que es llamado por una petici\u00f3n curl. Esto afecta a las versiones hasta la 1.8.0 inclusive"}], "id": "CVE-2021-39339", "lastModified": "2024-11-21T06:19:16.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-22T11:15:07.503", "references": [{"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/browser/telefication/tags/1.8.0/bypass.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}