Persistent Cross-Site Scripting Vulnerabilities in All In One Favicon Plugin for WordPress
CVE-2018-13832

4.8MEDIUM

Key Information:

Vendor: Wordpress
Status: All In One Favicon
Vendor: CVE Published:; 16 July 2018

Summary

The All In One Favicon plugin for WordPress version 4.6 contains multiple persistent cross-site scripting (XSS) vulnerabilities. These weaknesses permit remote attackers to inject arbitrary web scripts or HTML through various text field inputs, including Apple-Text, GIF-Text, ICO-Text, PNG-Text, and JPG-Text. Successful exploitation could lead to unauthorized actions on behalf of affected users and compromise sensitive data.

References

https://hackpuntes.com/cve-2018-13832-wordpress-plugin-al...

x_refsource_MISC

https://www.exploit-db.com/exploits/45056/

exploitx_refsource_EXPLOIT-DB

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 16, 2018
Vulnerability Reserved
Jul 10, 2018