Cross-Site Scripting Vulnerability in Dynamic Widgets Plugin for WordPress
CVE-2015-9436

5.4MEDIUM

Key Information:

Vendor

Wordpress
Status
Dynamic Widgets
Vendor
CVE Published:
26 September 2019

What is CVE-2015-9436?

The Dynamic Widgets plugin for WordPress, prior to version 1.5.11, contains a Cross-Site Scripting (XSS) flaw. This vulnerability arises from improper validation of input parameters in the 'wp-admin/admin-ajax.php' file, specifically in the 'action=term_tree' context. Attackers can exploit this flaw by injecting malicious scripts through the 'prefix' or 'widget_id' parameters, potentially allowing unauthorized actions and compromising site security.

References

https://wpvulndb.com/vulnerabilities/8258
x_refsource_MISC
https://wordpress.org/plugins/dynamic-widgets/#developers
x_refsource_MISC
http://cinu.pl/research/wp-plugins/mail_489304900a50751da...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.