6.1

CVE-2019-19133

Exploit

CSS Hero <= 4.0.3 - Reflected Cross-Site Scripting

The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a csshero_action=edit_page request because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary JavaScript in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookies or launch other attacks.
Mögliche Gegenmaßnahme
CSS Hero: Update to version 4.07, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CssheroCsshero Version4.0.3 SwPlatformwordpress
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt CSS Hero
Version *-4.03
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.88% 0.768
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/155558/WordPress-CSS-Hero-4.0.3-Cross-Site-Scripting.html
Third Party Advisory
Exploit
VDB Entry
http://seclists.org/fulldisclosure/2019/Dec/6
Third Party Advisory
Exploit
Mailing List
https://wpvulndb.com/vulnerabilities/9966
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/ffb97fa2-456c-4bc4-a09c-54daa17be3e8
Third Party Advisory