PT-2014-8987 · WordPress · Simpleflickr

Published

2014-12-31

Updated

2017-09-08

CVE-2014-9396

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions SimpleFlickr plugin versions 3.0.3 and earlier

Description The issue allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks. This is achieved via the simpleflickr width, simpleflickr bgcolor, or simpleflickr xmldatapath parameter in the "simpleFlickr.php" page to "wp-admin/options-general.php".

Recommendations For SimpleFlickr plugin versions 3.0.3 and earlier, consider disabling the simpleFlickr.php page or restricting access to the wp-admin/options-general.php page until a patch is available. Avoid using the simpleflickr width, simpleflickr bgcolor, or simpleflickr xmldatapath parameters in the simpleFlickr.php page until the issue is resolved.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2014-9396

Affected Products

Simpleflickr

PT-2014-8987 · WordPress · Simpleflickr

CVE-2014-9396

Weakness Enumeration

Related Identifiers

Affected Products

References · 4