Vulnerability Description
The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cbads | Clickbank Affiliate Ads | <= 1.20 |
Related Weaknesses (CWE)
References
- https://packetstormsecurity.com/files/131814/ExploitThird Party AdvisoryVDB Entry
- https://seclists.org/bugtraq/2015/May/45ExploitMailing ListThird Party Advisory
- https://wpscan.com/vulnerability/2bc3af7e-5542-40c4-8141-7c49e8df68f0ExploitThird Party Advisory
- https://packetstormsecurity.com/files/131814/ExploitThird Party AdvisoryVDB Entry
- https://seclists.org/bugtraq/2015/May/45ExploitMailing ListThird Party Advisory
- https://wpscan.com/vulnerability/2bc3af7e-5542-40c4-8141-7c49e8df68f0ExploitThird Party Advisory
FAQ
What is CVE-2015-20105?
CVE-2015-20105 is a vulnerability with a CVSS score of 9.6 (CRITICAL). The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due t...
How severe is CVE-2015-20105?
CVE-2015-20105 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2015-20105?
Check the references section above for vendor advisories and patch information. Affected products include: Cbads Clickbank Affiliate Ads.