Cross-Site Request Forgery and Cross-Site Scripting in eshop Plugin for WordPress
CVE-2015-9413

6.5MEDIUM

Key Information:

Vendor
Wordpress
Status
Eshop
Vendor
CVE Published:
26 September 2019

Summary

The eshop plugin for WordPress, versions up to 6.3.13, is vulnerable to Cross-Site Request Forgery (CSRF) attacks, which can allow unauthorized actions to be taken on behalf of authenticated users. Specifically, the vulnerability is exploited through the 'title' parameter of the 'wp-admin/admin.php?page=eshop-downloads.php' endpoint, enabling attackers to inject malicious scripts (XSS) that execute in the context of the user’s session. This can lead to significant security risks, including data theft and unauthorized access to sensitive information.

References

https://wpvulndb.com/vulnerabilities/8180
x_refsource_MISC
https://wordpress.org/plugins/eshop/#developers
x_refsource_MISC
https://packetstormsecurity.com/files/133480/
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.