CVE-2020-13643

Опубликовано: 28 мая 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.

Ссылки

https://wordpress.org/plugins/siteorigin-panels/#developers
Release Notes
Third Party Advisory
https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-builder-by-siteorigin-affects-over-1-million-sites/
Exploit
Third Party Advisory
https://wordpress.org/plugins/siteorigin-panels/#developers
Release Notes
Third Party Advisory
https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-builder-by-siteorigin-affects-over-1-million-sites/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:siteorigin:page_builder:*:*:*:*:*:wordpress:*:*

Версия до 2.10.16 (исключая)

EPSS

Процентиль: 31%

0.0012

Низкий

8.8 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-2gwc-rv3v-q9qp

github

больше 3 лет назад

EPSS

Процентиль: 31%

0.0012

Низкий

8.8 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352