AJAX Action Vulnerability in nd-shortcodes Plugin for WordPress
CVE-2019-15771

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Components For WP Bakery Page Builder
Vendor
CVE Published:
29 August 2019

Summary

The nd-shortcodes plugin for WordPress contains a vulnerability that enables unauthorized users to modify critical site settings through an unprotected AJAX action. Specifically, the nopriv_ AJAX action in versions prior to 6.0 allows attackers to change the siteurl setting, potentially leading to broader site compromises. This vulnerability emphasizes the importance of securing AJAX actions within WordPress plugins to prevent unauthorized alterations and maintain site integrity.

References

https://wpvulndb.com/vulnerabilities/9485
x_refsource_MISC
https://wordpress.org/plugins/nd-shortcodes/#developers
x_refsource_MISC
https://threatpost.com/wordpress-plugins-exploited-in-ong...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.