8.8
CVE-2019-12826
- EPSS 1.11%
- Veröffentlicht 01.07.2019 18:15:11
- Zuletzt bearbeitet 21.11.2024 04:23:39
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginWidget Logic < 5.10.2 - Cross-Site Request Forgery
A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.
Mögliche Gegenmaßnahme
Widget Logic: Update to version 5.10.2, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wpchef ≫ Widget Logic SwPlatformwordpress Version < 5.10.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Widget Logic
Version
[*, 5.10.2)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.11% | 0.616 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://dannewitz.ninja/posts/widget-logic-csrf-to-rce
https://plugins.trac.wordpress.org/changeset/2112753/widget-logic
https://wpvulndb.com/vulnerabilities/9403
https://wpvulndb.com/vulnerabilities/9413
https://www.wordfence.com/threat-intel/vulnerabilities/id/a4999de1-07b7-49ef-8897-267b836bc469