Vulnerability CVE-2018-16259


Published: 2019-04-12   Modified: 2019-04-15

Description:
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-settings large_feed_limit.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Soflyy
Product: Wp all import 
Version: 3.4.9;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html
https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing

Related CVE
CVE-2018-16258
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-import custom_type.
CVE-2018-16257
There are multiple XSS vulnerabilities in WP All Import plugin 3.4.9 for WordPress via action=template.
CVE-2018-16256
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via Add Filtering Options(Add Rule).
CVE-2018-16255
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate.
CVE-2018-16254
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=options.
CVE-2018-0547
Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.7 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors.

Copyright 2019, cxsecurity.com

 

Back to Top