Vulnerability CVE-2013-2640

Vulnerability CVE-2013-2640

Published: 2013-03-22

Description:

ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks via unspecified vectors related to "formData=save" requests, a different version than CVE-2013-0731.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
5/10	2.9/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
None	Partial	None

Affected software
Mailup -> Wp-mailup

References:

http://plugins.trac.wordpress.org/changeset?new=682420

http://wordpress.org/extend/plugins/wp-mailup/changelog/

http://secunia.com/advisories/51917

http://osvdb.org/91274

Copyright 2024, cxsecurity.com