8.8
CVE-2020-13643
- EPSS 0.81%
- Veröffentlicht 28.05.2020 04:15:13
- Zuletzt bearbeitet 21.11.2024 05:01:40
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginPage Builder by SiteOrigin <= 2.10.15 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.
Mögliche Gegenmaßnahme
Page Builder by SiteOrigin: Update to version 2.10.16, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Siteorigin ≫ Page Builder SwPlatformwordpress Version < 2.10.16
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Page Builder by SiteOrigin
Version
[*, 2.10.16)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.81% | 0.52 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
| cve@mitre.org | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://wordpress.org/plugins/siteorigin-panels/#developers
https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-builder-by-siteorigin-affects-over-1-million-sites/
https://www.wordfence.com/threat-intel/vulnerabilities/id/28e1a11b-5320-41be-bc78-580322e5f407