Описание
The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions
Ссылки
- PatchThird Party Advisory
- ExploitThird Party Advisory
- PatchThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.1.2 (исключая)
cpe:2.3:a:etoilewebdesign:ultimate_faq:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 26%
0.00092
Низкий
5.7 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-862
CWE-352
Связанные уязвимости
CVSS3: 5.7
github
около 4 лет назад
The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions
EPSS
Процентиль: 26%
0.00092
Низкий
5.7 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-862
CWE-352