4.3
CVE-2015-10001
- EPSS 0.49%
- Veröffentlicht 01.11.2021 09:15:07
- Zuletzt bearbeitet 21.11.2024 02:24:08
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginWP-Stats < 2.5.2 - CSRF to Stored Cross-Site Scripting (XSS)
WP-Stats < 2.52 - Cross-Site Request Forgery
The WP-Stats WordPress plugin before 2.52 does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads
Mögliche Gegenmaßnahme
WP-Stats: Update to version 2.52, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wp-stats Project ≫ Wp-stats SwPlatformwordpress Version < 2.52
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP-Stats
Version
[*, 2.52)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.382 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734
https://www.openwall.com/lists/oss-security/2015/06/17/6
https://www.wordfence.com/threat-intel/vulnerabilities/id/3df11929-37be-4c52-ae53-fbbe926659b7