Cross-Site Scripting Flaw in ImageInject Plugin for WordPress
CVE-2018-5284

4.8MEDIUM

Key Information:

Vendor
Wordpress
Status
Imageinject
Vendor
CVE Published:
8 January 2018

Summary

The ImageInject plugin version 1.15 for WordPress contains a vulnerability that allows attackers to exploit the flickr_appid parameter. This weakness permits Cross-Site Scripting (XSS) attacks, enabling malicious users to inject arbitrary scripts into web pages. These scripts can be used to compromise user sessions, manipulate web content, and potentially perform other harmful actions. Site administrators using this plugin should take precautionary measures to safeguard against XSS attacks.

References

https://wordpress.org/support/topic/stored-xss-csrf-bug-a...
x_refsource_MISC
https://wpvulndb.com/vulnerabilities/8994
x_refsource_MISC
https://github.com/d4wner/Vulnerabilities-Report/blob/mas...
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.