PT-2019-18587 · Mythemeshop · Mythemeshop Launcher

Published

2019-05-13

Updated

2019-05-14

CVE-2019-7411

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions MyThemeShop Launcher plugin version 1.0.8

Description The issue concerns multiple stored cross-site scripting (XSS) instances. Remote authenticated users can inject arbitrary web script or HTML via various fields, including:

Title
Favicon
Meta Description
Subscribe Form fields: Name field label, Last name field label, Email field label
Contact Form fields: Name field label and Email field label
Social Links fields: Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL

Recommendations For MyThemeShop Launcher plugin version 1.0.8, consider updating to a newer version that addresses these stored XSS issues. As a temporary workaround, restrict access to the fields mentioned above to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-7411

Affected Products

Mythemeshop Launcher

PT-2019-18587 · Mythemeshop · Mythemeshop Launcher

CVE-2019-7411

Weakness Enumeration

Related Identifiers

Affected Products

References · 4