9.8
CVE-2020-11548
- EPSS 5.18%
- Veröffentlicht 05.04.2020 00:15:11
- Zuletzt bearbeitet 21.11.2024 04:58:07
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginSearch Meter <= 2.13.2 - Remote Code Execution
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
Mögliche Gegenmaßnahme
Search Meter: Update to version 2.13.3, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Search Meter Project ≫ Search Meter SwPlatformwordpress Version <= 2.13.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Search Meter
Version
[*, 2.13.3)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 5.18% | 0.914 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
https://wordpress.org/plugins/search-meter/#developers
https://www.exploit-db.com/exploits/48197
https://www.wordfence.com/threat-intel/vulnerabilities/id/8a1d90f6-40fc-40b5-a46c-9ba9ac2fc1b5