Cross-Site Scripting Vulnerability in SabaiApp Directories Pro Plugin for WordPress
CVE-2020-29303

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Directories Pro
Vendor
CVE Published:
14 December 2020

Summary

The SabaiApp Directories Pro plugin for WordPress contains a cross-site scripting (XSS) vulnerability that can be exploited by remote attackers. This flaw allows attackers to inject arbitrary web scripts or HTML code through a POST request to /wp-admin/admin.php. The attack leverages the _drts_form_build_id parameter, which carries the XSS payload, along with an invalid or nonexistent CSRF token, making the system susceptible to exploitation. Users should promptly update to version 1.3.46 or later to mitigate this vulnerability.

References

http://seclists.org/fulldisclosure/2020/Dec/14
mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/160452/WordPress-Dir...
x_refsource_MISC
https://www.themissinglink.com.au/security-advisories-cve...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.