DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2020-28707", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-28707", "description": "The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the \"e\" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object.", "published": "2021-01-19T22:15:00", "modified": "2021-01-22T21:42:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28707", "reporter": "cve@mitre.org", "references": ["https://jondow.eu/cve-2020-28707-xss-in-stockdio-historical-chart-plugin-for-wordpress-before-version-281/", "http://stockdio.com", "https://wordpress.org/plugins/stockdio-historical-chart/#developers"], "cvelist": ["CVE-2020-28707"], "immutableFields": [], "lastseen": "2022-03-23T17:11:03", "viewCount": 21, "enchantments": {"dependencies": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:EE036303-0676-481A-98A4-76852FEA6F62"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:EE036303-0676-481A-98A4-76852FEA6F62"]}], "rev": 4}, "score": {"value": 1.2, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-01-20T14:45:26", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1352761875063332873", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-28707 (stockdio_historical_chart)) has been published on https://t.co/H4PzI3TmEb?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1352761910182236160", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-28707 (stockdio_historical_chart)) has been published on https://t.co/xQHuGxbXqU?amp=1"}]}, "backreferences": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:EE036303-0676-481A-98A4-76852FEA6F62"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:EE036303-0676-481A-98A4-76852FEA6F62"]}]}, "exploitation": null, "vulnersScore": 1.2}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "stockdio:stockdio_historical_chart", "version": "2.8.1", "operator": "lt", "name": "stockdio stockdio historical chart"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:stockdio:stockdio_historical_chart:2.8.1:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.8.1", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://jondow.eu/cve-2020-28707-xss-in-stockdio-historical-chart-plugin-for-wordpress-before-version-281/", "name": "https://jondow.eu/cve-2020-28707-xss-in-stockdio-historical-chart-plugin-for-wordpress-before-version-281/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://stockdio.com", "name": "http://stockdio.com", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "https://wordpress.org/plugins/stockdio-historical-chart/#developers", "name": "https://wordpress.org/plugins/stockdio-historical-chart/#developers", "refsource": "CONFIRM", "tags": ["Release Notes", "Third Party Advisory"]}]}

{"wpexploit": [{"lastseen": "2021-02-15T22:21:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-28707"], "description": "The plugin was affected by a Reflected Cross-Site Scripting issue via the postMessage() event.\n", "modified": "2021-01-21T06:01:48", "published": "2021-01-20T00:00:00", "id": "WPEX-ID:EE036303-0676-481A-98A4-76852FEA6F62", "href": "", "type": "wpexploit", "title": "Stockdio Historical Chart < 2.8.1 - Reflected Cross-Site Scripting (XSS)", "sourceData": "Use the following code on another website\r\n\r\n<script>\r\n var popup = window.open('https://VULNERABLE.PAGE/');\r\n var msg = {};\r\n msg.method = \"alert(document.domain)\";\r\n function post(){popup.postMessage(msg,'*')}\r\n setInterval(post,1000);\r\n</script>", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:21:55", "bulletinFamily": "software", "cvelist": ["CVE-2020-28707"], "description": "The plugin was affected by a Reflected Cross-Site Scripting issue via the postMessage() event.\n\n### PoC\n\nUse the following code on another website \n", "modified": "2021-01-21T06:01:48", "published": "2021-01-20T00:00:00", "id": "WPVDB-ID:EE036303-0676-481A-98A4-76852FEA6F62", "href": "https://wpscan.com/vulnerability/ee036303-0676-481a-98a4-76852fea6f62", "type": "wpvulndb", "title": "Stockdio Historical Chart < 2.8.1 - Reflected Cross-Site Scripting (XSS)", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "patchstack": [{"lastseen": "2022-06-01T19:33:34", "description": "Cross-Site Scripting (XSS) vulnerability found by Jondow in WordPress Stockdio Historical Chart plugin (versions <= 2.7.2).\n\n## Solution\n\n\r\n Update the WordPress Stockdio Historical Chart plugin to the latest available version (at least 2.8.1).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-01-16T00:00:00", "type": "patchstack", "title": "WordPress Stockdio Historical Chart plugin <= 2.7.2 - Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28707"], "modified": "2021-01-16T00:00:00", "id": "PATCHSTACK:97FE2E8228B0DE7EF4DF2D61B19E57E4", "href": "https://patchstack.com/database/vulnerability/stockdio-historical-chart/wordpress-stockdio-historical-chart-plugin-2-7-2-cross-site-scripting-xss-vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}