6.8
CVE-2015-4010
- EPSS 4.73%
- Veröffentlicht 09.06.2015 14:59:05
- Zuletzt bearbeitet 06.05.2026 22:30:45
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginEncrypted Contact Form < 1.1 - Cross-Site Scripting
Cross-site request forgery (CSRF) vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the iframe_url parameter in an Update Page action in the conformconf page to wp-admin/options-general.php.
Mögliche Gegenmaßnahme
Encrypted Contact Form: Update to version 1.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Everybit ≫ Encrypted Contact Form SwPlatformwordpress Version < 1.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Encrypted Contact Form
Version
[*, 1.1)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.73% | 0.907 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
http://marc.info/?l=bugtraq&m=142607790919348&w=2
http://packetstormsecurity.com/files/132209/WordPress-Encrypted-Contact-Form-1.0.4-CSRF-XSS.html
http://seclists.org/fulldisclosure/2015/May/63
http://www.securityfocus.com/archive/1/535699/100/0/threaded
http://www.securityfocus.com/bid/73433
https://plugins.trac.wordpress.org/changeset/1125443/
https://wordpress.org/plugins/encrypted-contact-form/changelog/
https://wpvulndb.com/vulnerabilities/7992
https://www.exploit-db.com/exploits/37264/
https://www.wordfence.com/threat-intel/vulnerabilities/id/ac3a359c-bdcf-42c5-9e54-c704a358b561