5.4
CVE-2019-7411
- EPSS 0.92%
- Veröffentlicht 13.05.2019 14:29:02
- Zuletzt bearbeitet 21.11.2024 04:48:10
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginLauncher: Coming Soon & Maintenance Mode < 1.0.11 - Stored Cross-Site Scripting
Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL).
Mögliche Gegenmaßnahme
Launcher: Coming Soon & Maintenance Mode: Update to version 1.0.11, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mythemeshop ≫ Launcher Version1.0.8 SwPlatformwordpress
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Launcher: Coming Soon & Maintenance Mode
Version
[*, 1.0.11)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.92% | 0.557 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://metamorfosec.com/Files/Advisories/METS-2019-002-Multiple_Stored_XSS_Vulnerabilities_in_the_MyThemeShop_Launcher_plugin_v1.0.8_for_WordPress.txt
https://wpvulndb.com/vulnerabilities/9275
https://www.wordfence.com/threat-intel/vulnerabilities/id/56c1a28e-c37b-431d-bb0d-7d9cf4f85606