Description

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Related CPE's

a

tiempo

tiempo

*

*

*

*

*

wordpress

Vulnerable

References

https://wpscan.com/vulnerability/0e677df9-2c49-42f0-a8e2-dbcf85bfc1a2

ExploitThird Party Advisory

Weaknesses

Could not find any weaknesses

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2023-08-16T12:15:11.977

11 months ago

Last modified

2023-11-07T03:59:31.437

8 months ago