Описание
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.
Ссылки
- ExploitThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 5.1.5 (исключая)
cpe:2.3:a:updraftplus:all-in-one_security:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 97%
0.41771
Средний
4.8 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 4.8
github
почти 3 года назад
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.
EPSS
Процентиль: 97%
0.41771
Средний
4.8 Medium
CVSS3
Дефекты
CWE-79