CSRF Vulnerability in Dynamic Widgets Plugin for WordPress
CVE-2015-9437

6.5MEDIUM

Key Information:

Vendor
Wordpress
Status
Dynamic Widgets
Vendor
CVE Published:
26 September 2019

Summary

The Dynamic Widgets plugin for WordPress, prior to version 1.5.11, has been identified to have a CSRF vulnerability that can result in Cross-Site Scripting (XSS) attacks. Specifically, the vulnerability is triggered via the 'page_limit' parameter on the wp-admin/themes.php?page=dynwid-config page. This flaw allows an attacker to craft malicious requests on behalf of an unsuspecting user, potentially compromising the security of the website. It is essential for users to update the plugin to the latest version to mitigate this risk effectively.

References

https://wpvulndb.com/vulnerabilities/8258
x_refsource_MISC
https://wordpress.org/plugins/dynamic-widgets/#developers
x_refsource_MISC
http://cinu.pl/research/wp-plugins/mail_489304900a50751da...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.