CVE-2019-14793

Опубликовано: 09 авг. 2019

Источник: nvd

CVSS3: 6.5

CVSS2: 5.5

EPSS Низкий

Описание

The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter.

Ссылки

https://metabox.io/changelog/
Vendor Advisory
https://www.pluginvulnerabilities.com/2019/02/01/full-disclosure-of-authenticated-arbitrary-file-deletion-vulnerability-in-wordpress-plugin-with-300000-installs/
Exploit
Third Party Advisory
https://metabox.io/changelog/
Vendor Advisory
https://www.pluginvulnerabilities.com/2019/02/01/full-disclosure-of-authenticated-arbitrary-file-deletion-vulnerability-in-wordpress-plugin-with-300000-installs/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:metabox:meta_box:*:*:*:*:*:wordpress:*:*

Версия до 4.16.3 (исключая)

EPSS

Процентиль: 37%

0.00157

Низкий

6.5 Medium

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-862

Связанные уязвимости

GHSA-5mmc-x8m3-9q8h

github

больше 3 лет назад