CVE-2020-36769

Опубликовано: 23 дек. 2023

Источник: nvd

CVSS3: 7.4

CVSS3: 5.4

EPSS Низкий

Описание

The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Ссылки

https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-widget-settings-importer-exporter-plugin/
Exploit
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/e14f0fc6-fca4-4dd7-8f7b-ed5ed535c9af?source=cve
Third Party Advisory
https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-widget-settings-importer-exporter-plugin/
Exploit
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/e14f0fc6-fca4-4dd7-8f7b-ed5ed535c9af?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:porternovelli:widget_settings_importer\/exporter:*:*:*:*:*:wordpress:*:*

Версия до 1.5.3 (включая)

EPSS

Процентиль: 30%

0.00112

Низкий

7.4 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-hgpj-j8q9-2gfm

CVSS3: 7.4

github

около 2 лет назад

EPSS

Процентиль: 30%

0.00112

Низкий

7.4 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79