Vulnerability CVE-2017-18521


Published: 2019-08-21

Description:
The democracy-poll plugin before 5.4 for WordPress has CSRF via wp-admin/options-general.php?page=democracy-poll&subpage=l10n.

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: Wp-kama
Product: Democracy poll 
Version:
5.3.6
5.3.5
5.3.4.6
5.3.4.5
5.3.4
5.3.3.2
5.3.3.1
5.3.3
5.3.2
5.3.1
5.3.0
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.1.1
5.1.0
5.0.3
5.0.2
5.0.1
5.0
4.9.4
4.9.3
4.9.2
4.9.1
4.9.0
4.8
4.7.8
4.7.7
4.7.6
4.7.5
4.7.4
4.7.3
4.7.2
4.7.1
4.7.0
4.6.9
4.6.8
4.6.7
4.6.6
4.6.5
4.6.4
4.6.3
4.6.2
4.6.1
4.6.0
4.5.9
4.5.8
4.5.7
4.5.6
4.5.5
4.5.4
4.5.3
4.5.2
4.5.1
4.5
4.4
4.3.1
4.3
4.2
4.1
4.0

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://wordpress.org/plugins/democracy-poll/#developers
https://www.pluginvulnerabilities.com/2017/02/22/cross-site-request-forgery-csrfcross-site-scripting-xss-vulnerability-in-democracy-poll/

Related CVE
CVE-2017-18615
The kama-clic-counter plugin before 3.5.0 for WordPress has XSS.
CVE-2017-18614
The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter.
CVE-2017-18520
The democracy-poll plugin before 5.4 for WordPress has XSS via update_l10n in admin/class.DemAdminInit.php.

Copyright 2019, cxsecurity.com

 

Back to Top