CVE-2019-14683

Опубликовано: 08 авг. 2019

Источник: nvd

CVSS3: 5.7

CVSS2: 4.9

EPSS Низкий

Описание

The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.

Ссылки

https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta?rev=2112013
Product
https://wordpress.org/plugins/import-users-from-csv-with-meta/#developers
Release Notes
https://wpvulndb.com/vulnerabilities/9392
Third Party Advisory
https://www.pluginvulnerabilities.com/2019/06/21/cross-site-request-forgery-csrf-media-deletion-vulnerability-in-import-users-from-csv-with-meta/
Exploit
Third Party Advisory
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta?rev=2112013
Product
https://wordpress.org/plugins/import-users-from-csv-with-meta/#developers
Release Notes
https://wpvulndb.com/vulnerabilities/9392
Third Party Advisory
https://www.pluginvulnerabilities.com/2019/06/21/cross-site-request-forgery-csrf-media-deletion-vulnerability-in-import-users-from-csv-with-meta/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:codection:import_users_from_csv_with_meta:*:*:*:*:*:wordpress:*:*

Версия до 1.14.2.2 (исключая)

EPSS

Процентиль: 34%

0.00138

Низкий

5.7 Medium

CVSS3

4.9 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-4jmg-gg6g-x7j5