PT-2019-7372 · WordPress · Eshop Plugin

Published

2019-09-25

Updated

2019-09-27

CVE-2015-9413

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions eshop plugin for WordPress versions through 6.3.13

Description The issue concerns a CSRF with resultant XSS in the eshop plugin for WordPress. This occurs via the "title" parameter in the "/wp-admin/admin.php?page=eshop-downloads.php" API endpoint.

Recommendations For eshop plugin for WordPress versions through 6.3.13, update to a version later than 6.3.13 to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-admin/admin.php?page=eshop-downloads.php" endpoint to minimize the risk of exploitation. Avoid using the title parameter in this endpoint until the issue is resolved.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2015-9413

Affected Products

Eshop Plugin

PT-2019-7372 · WordPress · Eshop Plugin

CVE-2015-9413

Weakness Enumeration

Related Identifiers

Affected Products

References · 6