9.8
CVE-2020-11548
- EPSS 10.73%
- Veröffentlicht 05.04.2020 00:15:11
- Zuletzt bearbeitet 21.11.2024 04:58:07
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginSearch Meter <= 2.13.2 - Remote Code Execution
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
Mögliche Gegenmaßnahme
Search Meter: Update to version 2.13.3, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Search Meter
Version
[*, 2.13.3)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Search Meter Project ≫ Search Meter SwPlatformwordpress Version <= 2.13.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 10.73% | 0.93 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.