Vulnerability CVE-2015-2293

Vulnerability CVE-2015-2293

Published: 2015-03-17

Description:

Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page.

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.8/10	6.4/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Yoast -> Wordpress seo

References:

https://yoast.com/wordpress-seo-security-release/

https://wpvulndb.com/vulnerabilities/7841

https://wordpress.org/plugins/wordpress-seo/changelog/

http://www.securitytracker.com/id/1031920

http://seclists.org/fulldisclosure/2015/Mar/73

http://packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html

Copyright 2024, cxsecurity.com