Design/Logic Flaw

2017-12-2003:29:00

PRIOn knowledge base

www.prio-n.com

0.001 Low

EPSS

Percentile

31.1%

JSON

The Clockwork SMS clockwork-test-message.php component has XSS via a crafted “to” parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5.

CPENameOperatorVersion
booking_calendar_smseq1.0.5
clockwork_sms_notficationseq2.0.3
contact_form_7_smseq2.3.0
fast_secure_contact_form_smseq2.1.2
formidableeq1.0.2
gravity_formseq2.2
two-factor_authenticationeq1.0.2
wp_e-commerceeq2.0.5

Name	Operator	Version
booking_calendar_sms	eq	1.0.5
clockwork_sms_notfications	eq	2.0.3
contact_form_7_sms	eq	2.3.0
fast_secure_contact_form_sms	eq	2.1.2
formidable	eq	1.0.2
gravity_forms	eq	2.2
two-factor_authentication	eq	1.0.2
wp_e-commerce	eq	2.0.5

References

packetstormsecurity.com/files/145469/Clockwork-SMS-Cross-Site-Scripting.html

plugins.trac.wordpress.org/changeset/1781424/clockwork-two-factor-authentication/trunk/templates/clockwork-test-message.php?old=706348&old_path=clockwork-two-factor-authentication%2Ftrunk%2Ftemplates%2Fclockwork-test-message.php

0.001 Low

EPSS

Percentile

31.1%

JSON

Related for PRION:CVE-2017-17780