CVE-2014-7957

Exploit

EPSS 1.16%
Veröffentlicht 15.01.2015 15:59:04
Zuletzt bearbeitet 06.05.2026 22:30:45
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Pods <= 2.4.3 - Multiple Cross-Site Request Forgery

Multiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php.

Mögliche Gegenmaßnahme

Pods – Custom Content Types and Fields: Update to version 2.5, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pods Foundation ≫ Pods SwPlatformwordpress Version <= 2.4.3

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Pods – Custom Content Types and Fields

Version *-2.4.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.16%	0.631

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://packetstormsecurity.com/files/129890/WordPress-Pods-2.4.3-CSRF-Cross-Site-Scripting.html

Exploit

http://seclists.org/fulldisclosure/2015/Jan/26

Exploit

http://www.securityfocus.com/archive/1/534437/100/0/threaded

http://www.securityfocus.com/bid/71996

https://wordpress.org/plugins/pods/changelog/

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/19b4a27d-d9de-4567-86cd-8ec821ee299a

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2014-7957

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-7957

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-7957

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2014-7957