6.5
CVE-2018-11632
- EPSS 0.54%
- Veröffentlicht 31.05.2018 20:29:02
- Zuletzt bearbeitet 21.11.2024 03:43:44
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAdd Social Share Buttons for Whatsapp and Viber < 1.1 - Cross-Site Request Forgery
An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings via wp-admin/admin-post.php CSRF. There's no nonce or capability check in the whatsapp_share_setting_add_update() function.
Mögliche Gegenmaßnahme
Add Social Share Buttons for Whatsapp and Viber: Update to version 1.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Multidots ≫ Add Social Share Messenger Buttons Whatsapp And Viber Version1.0.8 SwPlatformwordpress
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Add Social Share Buttons for Whatsapp and Viber
Version
[*, 1.1)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.54% | 0.409 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
http://labs.threatpress.com/cross-site-request-forgery-csrf-in-add-social-share-messenger-buttons-whatsapp-and-viber-plugin/
https://wordpress.org/plugins/add-social-share-buttons/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/3f596af2-ff83-4c67-a8f0-e4df4a0adbd2