CVE-2015-10001

The WP-Stats WordPress plugin before 2.52 does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads
Configurations

Configuration 1 (hide)

cpe:2.3:a:wp-stats_project:wp-stats:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 02:24

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734 - Third Party Advisory () https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734 - Third Party Advisory
References () https://www.openwall.com/lists/oss-security/2015/06/17/6 - Exploit, Mailing List, Third Party Advisory () https://www.openwall.com/lists/oss-security/2015/06/17/6 - Exploit, Mailing List, Third Party Advisory

03 Nov 2021, 14:41

Type Values Removed Values Added
References (MISC) https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734 - (MISC) https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734 - Third Party Advisory
References (MISC) https://www.openwall.com/lists/oss-security/2015/06/17/6 - (MISC) https://www.openwall.com/lists/oss-security/2015/06/17/6 - Exploit, Mailing List, Third Party Advisory
CPE cpe:2.3:a:wp-stats_project:wp-stats:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 4.3

01 Nov 2021, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-11-01 09:15

Updated : 2024-11-21 02:24


NVD link : CVE-2015-10001

Mitre link : CVE-2015-10001

CVE.ORG link : CVE-2015-10001


JSON object : View

Products Affected

wp-stats_project

  • wp-stats
CWE
CWE-352

Cross-Site Request Forgery (CSRF)