RenniepakPATCHSTACK:F1DD383B93875E156BF7B5AE04375FC4WordPress Favicon plugin <= 1.3.20 - Reflected Cross-Site Scripting (XSS) vulnerability
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
Reflected Cross-Site Scripting (XSS) vulnerability discovered by renniepak in WordPress Favicon plugin (versions <= 1.3.20).
Solution
According to WPScanTeam, there were attempts to contact the vendor, but the vulnerability was disclosed due to the vendor's lack of response.
Timeline (WPScanTeam):
June 28th, 2021 - Details sent to vendor
July 9th, 2021 - Escalated to WP due to lack of response from vendor
July 27th, 2021 - No update, disclosing
August 9th, 2021 - v1.3.22 released, fixing the issue
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N