Overview
- Description
- The Upload Media By URL WordPress plugin before 1.0.8 does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files (including HTML containing JS code for users with the unfiltered_html capability) on their behalf.
- Source
- contact@wpscan.com
- NVD status
- Modified
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:notetoservices:upload_media_by_url:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "88BAE1F4-FF92-416A-886D-65CA4E6799CF",
"versionEndExcluding": "1.0.8"
}
],
"operator": "OR"
}
]
}
]