CVE-2019-12826

Sažetak

A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.

Reference

https://dannewitz.ninja/posts/widget-logic-csrf-to-rce
https://plugins.trac.wordpress.org/changeset/2112753/widget-logic
https://wpvulndb.com/vulnerabilities/9403
https://wpvulndb.com/vulnerabilities/9413

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

31-07-2019 - 08:15

Objavljeno

01-07-2019 - 18:15