CVE-2021-24384

CRITICAL

Beardev Joomsport < 5.1.8 - Insecure Deserialization

Title source: rule

Description

The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/fb6c407c-713c-4e83-92ce-4e5f791be696

Scores

CVSS v3 9.8

EPSS 0.0445

EPSS Percentile 88.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

beardev/joomsport < 5.1.8

Timeline

Published Jul 06, 2021

Tracked Since Feb 18, 2026