Cross-Site Scripting Vulnerability in BFT Autoresponder Plugin for WordPress
CVE-2018-1002006

4.8MEDIUM

Key Information:

Vendor

WordPress
Status
Arigato Autoresponder And Newsletter
Vendor
CVE Published:
3 December 2018

What is CVE-2018-1002006?

A Cross-Site Scripting (XSS) vulnerability exists in the BFT Autoresponder plugin for WordPress, allowing an attacker with administrative privileges to exploit the flaw. The vulnerability can be triggered through a malicious POST request that manipulates input variables in the integration-contact-form.html.php file. This flaw enables the execution of arbitrary scripts in the context of users who visit the affected site, potentially compromising user data and site integrity. It is essential for users and administrators to ensure their installations are updated and to apply necessary security measures.

Affected Version(s)

Arigato Autoresponder and Newsletter <= 2.5.1.8

References

https://www.exploit-db.com/exploits/45434/
exploitx_refsource_EXPLOIT-DB
https://wordpress.org/plugins/bft-autoresponder/
x_refsource_MISC
http://www.vapidlabs.com/advisory.php?v=203
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.