PT-2017-10995 · WordPress+1 · Dtracker+1
Larry W. Cashdollar
+1
·
Published
2017-09-14
·
Updated
2019-10-03
·
CVE-2017-1002006
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
DTracker version 1.5
Description
The issue concerns a lack of authorization check in the DTracker plugin for WordPress. Specifically, the code in dtracker/save contact.php does not verify user authorization before adding new contacts to the wp contact table.
Recommendations
For DTracker version 1.5, consider disabling the save contact.php functionality until a patch is available to prevent unauthorized injection of contacts into the database. Restrict access to the dtracker/save contact.php file to minimize the risk of exploitation.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dtracker
Wordpress