Cross-Site Scripting Vulnerability in Pootle Button Plugin for WordPress
CVE-2017-15811

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Pootle Button
Vendor
CVE Published:
23 October 2017

Summary

The Pootle Button plugin for WordPress is susceptible to a Cross-Site Scripting (XSS) vulnerability prior to version 1.2.0. This flaw occurs due to improper handling of user input in the 'assets_url' parameter found within the 'assets/dialog.php' file. An attacker can exploit this weakness through the 'wp-admin/admin-ajax.php' endpoint, potentially allowing malicious scripts to be executed in the context of users visiting the affected site.

References

https://wpvulndb.com/vulnerabilities/8930
x_refsource_MISC
https://plugins.trac.wordpress.org/changeset/1745805/poot...
x_refsource_MISC
https://packetstormsecurity.com/files/144582/WordPress-Po...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.