CVE-2020-9459

Опубликовано: 28 фев. 2020

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings.

Ссылки

https://wpvulndb.com/vulnerabilities/10100
Exploit
Third Party Advisory
https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/
Exploit
Third Party Advisory
https://wpvulndb.com/vulnerabilities/10100
Exploit
Third Party Advisory
https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*

Версия до 5.1.6 (включая)

EPSS

Процентиль: 40%

0.00185

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-r5jc-c3q5-cv3r

github

больше 3 лет назад