6.5
CVE-2020-13426
- EPSS 1.19%
- Veröffentlicht 22.06.2020 18:15:11
- Zuletzt bearbeitet 21.11.2024 05:01:14
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Loginmulti Scheduler <= 1.0.0 - Cross-Site Request Forgery
The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in the forms it presents, allowing the possibility of deleting records (users) when an ID is known.
Mögliche Gegenmaßnahme
multi Scheduler: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Bdtask ≫ Multi-scheduler Version1.0.0 SwPlatformwordpress
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
multi Scheduler
Version
*-1.0.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.19% | 0.64 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://0day.today/exploit/34496
https://cxsecurity.com/issue/WLB-2020050235
https://infayer.com/archivos/448
https://packetstormsecurity.com/files/157867/WordPress-Multi-Scheduler-1.0.0-Cross-Site-Request-Forgery.html
https://research-labs.net/search/exploits/wordpress-plugin-multi-scheduler-100-cross-site-request-forgery-delete-user
https://twitter.com/UnD3sc0n0c1d0
https://wordpress.org/plugins/multi-scheduler/#developers
https://www.exploit-db.com/exploits/48532
https://www.wordfence.com/threat-intel/vulnerabilities/id/921c2486-42cb-42f2-a326-e951c20bd7ea