CVE-2018-11579 Information

Description

class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin’s setting by simply sending a request with a wbm_save_shop_page_banner_data action.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

http://labs.threatpress.com/unauthenticated-settings-change-vulnerability-in-woocommerce-category-banner-management-plugin/ https://wordpress.org/plugins/banner-management-for-woocommerce/developers

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3