Vulnerability Description
The WP-Stats WordPress plugin before 2.52 does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wp-Stats Project | Wp-Stats | < 2.52 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734Third Party Advisory
- https://www.openwall.com/lists/oss-security/2015/06/17/6ExploitMailing ListThird Party Advisory
- https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734Third Party Advisory
- https://www.openwall.com/lists/oss-security/2015/06/17/6ExploitMailing ListThird Party Advisory
FAQ
What is CVE-2015-10001?
CVE-2015-10001 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The WP-Stats WordPress plugin before 2.52 does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege us...
How severe is CVE-2015-10001?
CVE-2015-10001 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-10001?
Check the references section above for vendor advisories and patch information. Affected products include: Wp-Stats Project Wp-Stats.