CVE-2017-17780 — MEDIUM (6.1)

Vulnerability Description

The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Mediaburst	Booking Calendar Sms	1.0.5
Mediaburst	Clockwork Sms Notfications	2.0.3
Mediaburst	Contact Form 7 Sms	2.3.0
Mediaburst	Fast Secure Contact Form Sms	2.1.2
Mediaburst	Formidable	1.0.2
Mediaburst	Gravity Forms	2.2
Mediaburst	Two-Factor Authentication	1.0.2
Mediaburst	Wp E-Commerce	2.0.5

Related Weaknesses (CWE)

CWE-79

References

https://packetstormsecurity.com/files/145469/Clockwork-SMS-Cross-Site-Scripting.ExploitIssue TrackingThird Party Advisory
https://plugins.trac.wordpress.org/changeset/1781424/clockwork-two-factor-authenIssue TrackingPatchThird Party Advisory
https://packetstormsecurity.com/files/145469/Clockwork-SMS-Cross-Site-Scripting.ExploitIssue TrackingThird Party Advisory
https://plugins.trac.wordpress.org/changeset/1781424/clockwork-two-factor-authenIssue TrackingPatchThird Party Advisory

FAQ

What is CVE-2017-17780?

CVE-2017-17780 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following Wor...

How severe is CVE-2017-17780?

CVE-2017-17780 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-17780?

Check the references section above for vendor advisories and patch information. Affected products include: Mediaburst Booking Calendar Sms, Mediaburst Clockwork Sms Notfications, Mediaburst Contact Form 7 Sms, Mediaburst Fast Secure Contact Form Sms, Mediaburst Formidable.