8.8
CVE-2019-15858
- EPSS 20.81%
- Veröffentlicht 03.09.2019 07:15:10
- Zuletzt bearbeitet 21.11.2024 04:29:37
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginWoody Ad Snippets <= 2.2.4 - Missing Authorization to Settings Import
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.
Mögliche Gegenmaßnahme
Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts: Update to version 2.2.5, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webcraftic ≫ Woody Ad Snippets SwPlatformwordpress Version < 2.2.5
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts
Version
[*, 2.2.5)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 20.81% | 0.972 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/
https://wpvulndb.com/vulnerabilities/9490
https://www.wordfence.com/threat-intel/vulnerabilities/id/942ae035-91b3-4330-800c-2dbe94a4b4b5