7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.028 Low
EPSS
Percentile
89.6%
Part1. Description
portable-phpMyAdmin is Wordpress a plug-in, direct access to plug-ins when there are no validation Wordpress session and permissions.
Since this plugin has quite a lot of management functions, without a custom over the portable-phpMyAdmin plugin provides a full phpMyAdmin console and the Wordpress links database accounts MySQL configuration permissions.
Part2. Test version
1.3.0
Part3. The use of the process
Positioned to http://www.myhack58.com/wp-content/plugins/portable-phpmyadmin/wp-pma-mod
Without any authentication process, you can use the portable-phpMyAdmin plugin for full functionality
Part4. Solutions
Upgrade to v1. 3. 1
Part5. References
http://wordpress.org/extend/plugins/portable-phpmyadmin/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5469
Part. 6 timeline
10/13/2012 - Initial developer disclosure
10/14/2012 - Response from developer with commitment to fix the vulnerability
10/31/2012 - Follow-up with developer after no communication or patched release
11/16/2012 - Second attempt to follow-up with developer regarding
progress/timetable
11/26/2012 - Contacted WordPress ‘plugins team’ about lack of progress
on patched release
11/27/2012 - WordPress ‘plugins team’ patches software and releases
version 1.3.1
12/12/2012 - Public disclosure