The WP-Stats WordPress plugin before 2.52 does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734 | Third Party Advisory |
https://www.openwall.com/lists/oss-security/2015/06/17/6 | Exploit Mailing List Third Party Advisory |
https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734 | Third Party Advisory |
https://www.openwall.com/lists/oss-security/2015/06/17/6 | Exploit Mailing List Third Party Advisory |
Configurations
History
21 Nov 2024, 02:24
Type | Values Removed | Values Added |
---|---|---|
References | () https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734 - Third Party Advisory | |
References | () https://www.openwall.com/lists/oss-security/2015/06/17/6 - Exploit, Mailing List, Third Party Advisory |
03 Nov 2021, 14:41
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734 - Third Party Advisory | |
References | (MISC) https://www.openwall.com/lists/oss-security/2015/06/17/6 - Exploit, Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:wp-stats_project:wp-stats:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 4.3 |
01 Nov 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-11-01 09:15
Updated : 2024-11-21 02:24
NVD link : CVE-2015-10001
Mitre link : CVE-2015-10001
CVE.ORG link : CVE-2015-10001
JSON object : View
Products Affected
wp-stats_project
- wp-stats
CWE
CWE-352
Cross-Site Request Forgery (CSRF)