Vulnerability Description
A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information (PII) including names, addresses, IP addresses, and email addresses. Once an API key has been set to any meta key value from the wp_usermeta table, and the token is set to the corresponding MD5 hash of the meta key selected, one can make a request to the restricted endpoints, and thus access sensitive donor data.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Givewp | Givewp | < 2.5.5 |
Related Weaknesses (CWE)
References
- https://wpvulndb.com/vulnerabilities/9889Third Party Advisory
- https://www.wordfence.com/blog/2019/09/authentication-bypass-vulnerability-in-giExploitThird Party Advisory
- https://wpvulndb.com/vulnerabilities/9889Third Party Advisory
- https://www.wordfence.com/blog/2019/09/authentication-bypass-vulnerability-in-giExploitThird Party Advisory
FAQ
What is CVE-2019-20360?
CVE-2019-20360 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information (PII) including names, addresses...
How severe is CVE-2019-20360?
CVE-2019-20360 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-20360?
Check the references section above for vendor advisories and patch information. Affected products include: Givewp Givewp.