CVE-2019-9669 — MEDIUM (6.1)

Vulnerability Description

The Wordfence plugin 7.2.3 for WordPress allows XSS via a unique attack vector. NOTE: It has been asserted that this is not a valid vulnerability in the context of the Wordfence WordPress plugin as the firewall rules are not maintained as part of the Wordfence software but rather it is a set of rules hosted on vendor servers and pushed to the plugin with no versioning associated. Bypassing a WAF rule doesn't make a WordPress site vulnerable (speaking in terms of software vulnerabilities)

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Wordfence	Wordfence	7.2.3

Related Weaknesses (CWE)

CWE-79

References

https://www.edgescan.com/popular-wordpress-waf-bypass-zeroday-discovered-by-edgeExploitThird Party Advisory
https://www.edgescan.com/popular-wordpress-waf-bypass-zeroday-discovered-by-edgeExploitThird Party Advisory

FAQ

What is CVE-2019-9669?

CVE-2019-9669 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Wordfence plugin 7.2.3 for WordPress allows XSS via a unique attack vector. NOTE: It has been asserted that this is not a valid vulnerability in the context of the Wordfence WordPress plugin as th...

How severe is CVE-2019-9669?

CVE-2019-9669 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-9669?

Check the references section above for vendor advisories and patch information. Affected products include: Wordfence Wordfence.