JVN#31459091: WordPress plugin "Simple Custom CSS and JS" vulnerable to cross-site scripting

2017-07-24T00:00:00

Description

The WordPress plugin "Simple Custom CSS and JS" provided by SilkyPress contains a reflected cross-site scripting vulnerability (CWE-79). ## Impact An arbitrary script may be executed on a logged in user's web browser. ## Solution **Update the plugin** Update the plugin according to the information provided by the developer. ## Products Affected * Simple Custom CSS and JS prior to version 3.4

{"id": "JVN:31459091", "vendorId": null, "type": "jvn", "bulletinFamily": "info", "title": "JVN#31459091: WordPress plugin \"Simple Custom CSS and JS\" vulnerable to cross-site scripting", "description": "The WordPress plugin \"Simple Custom CSS and JS\" provided by SilkyPress contains a reflected cross-site scripting vulnerability (CWE-79).\n\n ## Impact\n\nAn arbitrary script may be executed on a logged in user's web browser.\n\n ## Solution\n\n**Update the plugin** \nUpdate the plugin according to the information provided by the developer.\n\n ## Products Affected\n\n * Simple Custom CSS and JS prior to version 3.4\n", "published": "2017-07-24T00:00:00", "modified": "2017-07-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "http://jvn.jp/en/jp/JVN31459091/index.html", "reporter": "Japan Vulnerability Notes", "references": [], "cvelist": ["CVE-2017-2285"], "immutableFields": [], "lastseen": "2021-12-28T23:20:32", "viewCount": 40, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-2285"]}, {"type": "patchstack", "idList": ["PATCHSTACK:8A5184DEF9EB1B768D55BBF026559DA2"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:CF5E55CA-3472-489D-88E8-01AB83B852FE"]}]}, "score": {"value": 0.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-2285"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:CF5E55CA-3472-489D-88E8-01AB83B852FE"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-2285", "epss": "0.001500000", "percentile": "0.493240000", "modified": "2023-03-14"}], "vulnersScore": 0.9}, "_state": {"dependencies": 1660004461, "score": 1660007784, "epss": 1678838010}, "_internal": {"score_hash": "ca8a2ba7ecc043ac130be95de26597b3"}}

{"cve": [{"lastseen": "2023-02-08T16:02:29", "description": "Cross-site scripting vulnerability in Simple Custom CSS and JS prior to version 3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2017-08-02T16:29:00", "type": "cve", "title": "CVE-2017-2285", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2285"], "modified": "2017-08-04T13:42:00", "cpe": ["cpe:/a:silkypress:simple_custom_css_and_js:2.7", "cpe:/a:silkypress:simple_custom_css_and_js:1.0", "cpe:/a:silkypress:simple_custom_css_and_js:2.6", "cpe:/a:silkypress:simple_custom_css_and_js:1.5", "cpe:/a:silkypress:simple_custom_css_and_js:3.3", "cpe:/a:silkypress:simple_custom_css_and_js:1.3", "cpe:/a:silkypress:simple_custom_css_and_js:1.6", "cpe:/a:silkypress:simple_custom_css_and_js:2.3", "cpe:/a:silkypress:simple_custom_css_and_js:1.1", "cpe:/a:silkypress:simple_custom_css_and_js:2.4", "cpe:/a:silkypress:simple_custom_css_and_js:3.1", "cpe:/a:silkypress:simple_custom_css_and_js:2.1", "cpe:/a:silkypress:simple_custom_css_and_js:3.0", "cpe:/a:silkypress:simple_custom_css_and_js:2.10", "cpe:/a:silkypress:simple_custom_css_and_js:2.2", "cpe:/a:silkypress:simple_custom_css_and_js:3.2", "cpe:/a:silkypress:simple_custom_css_and_js:2.5", "cpe:/a:silkypress:simple_custom_css_and_js:2.8", "cpe:/a:silkypress:simple_custom_css_and_js:1.4", "cpe:/a:silkypress:simple_custom_css_and_js:2.9", "cpe:/a:silkypress:simple_custom_css_and_js:1.2", "cpe:/a:silkypress:simple_custom_css_and_js:2.0"], "id": "CVE-2017-2285", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2285", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:silkypress:simple_custom_css_and_js:2.4:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:1.6:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:1.5:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:3.3:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:1.3:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.3:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:1.4:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:1.1:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.1:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.5:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.10:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:1.2:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.6:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.9:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.7:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:3.0:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:3.1:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.8:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.0:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:3.2:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:2.2:*:*:*:*:wordpress:*:*", "cpe:2.3:a:silkypress:simple_custom_css_and_js:1.0:*:*:*:*:wordpress:*:*"]}], "wpvulndb": [{"lastseen": "2021-02-15T22:16:45", "bulletinFamily": "software", "cvelist": ["CVE-2017-2285"], "description": "The Simple Custom CSS and JS WordPress plugin was affected by an Authenticated Cross-Site Scripting (XSS) security vulnerability.\n", "modified": "2020-09-22T07:20:49", "published": "2017-07-24T00:00:00", "id": "WPVDB-ID:CF5E55CA-3472-489D-88E8-01AB83B852FE", "href": "https://wpscan.com/vulnerability/cf5e55ca-3472-489d-88e8-01ab83b852fe", "type": "wpvulndb", "title": "Simple Custom CSS and JS <= 3.3 - Authenticated Cross-Site Scripting (XSS)", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "patchstack": [{"lastseen": "2022-06-01T19:39:32", "description": "Authenticated Cross-Site Scripting (XSS) vulnerability found by Chris Liu in WordPress Simple Custom CSS and JS plugin version 3.3 and earlier versions.\n\n## Solution\n\n\r\n Update WordPress Simple Custom CSS and JS plugin to the latest available version (at least 3.4).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2017-07-25T00:00:00", "type": "patchstack", "title": "WordPress Simple Custom CSS and JS plugin <=3.3 - Authenticated Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2285"], "modified": "2017-07-25T00:00:00", "id": "PATCHSTACK:8A5184DEF9EB1B768D55BBF026559DA2", "href": "https://patchstack.com/database/vulnerability/custom-css-js/wordpress-simple-custom-css-and-js-plugin-3-3-authenticated-cross-site-scripting-xss-vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}

JVN#31459091: WordPress plugin "Simple Custom CSS and JS" vulnerable to cross-site scripting

Description

Related