CVE-2021-24226

HIGH NUCLEI

Accessally < 3.5.7 - Information Disclosure

Title source: rule

Description

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required.

Nuclei Templates (1)

AccessAlly <3.5.7 - Sensitive Information Leakage

HIGHby dhiyaneshDK

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/8e3e89fd-e380-4108-be23-00e87fbaad16

Scores

CVSS v3 7.5

EPSS 0.2540

EPSS Percentile 96.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

accessally/accessally < 3.5.7

Published Apr 12, 2021

Tracked Since Feb 18, 2026