CVE-2018-11579 — MEDIUM (5.3)

Vulnerability Description

class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a wbm_save_shop_page_banner_data action.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Multidots	Woocommerce Category Banner Management	1.1.0

Related Weaknesses (CWE)

CWE-287

References

http://labs.threatpress.com/unauthenticated-settings-change-vulnerability-in-wooExploitThird Party Advisory
https://wordpress.org/plugins/banner-management-for-woocommerce/#developersRelease Notes
http://labs.threatpress.com/unauthenticated-settings-change-vulnerability-in-wooExploitThird Party Advisory
https://wordpress.org/plugins/banner-management-for-woocommerce/#developersRelease Notes

FAQ

What is CVE-2018-11579?

CVE-2018-11579 is a vulnerability with a CVSS score of 5.3 (MEDIUM). class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopr...

How severe is CVE-2018-11579?

CVE-2018-11579 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-11579?

Check the references section above for vendor advisories and patch information. Affected products include: Multidots Woocommerce Category Banner Management.