CVE-2018-11632 Information

Feb 14, 2021 cve

Description

An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering) the attacker can change the plugin settings via wp-admin/admin-post.php CSRF. There’s no nonce or capability check in the whatsapp_share_setting_add_update() function.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Reference

http://labs.threatpress.com/cross-site-request-forgery-csrf-in-add-social-share-messenger-buttons-whatsapp-and-viber-plugin/ https://wordpress.org/plugins/add-social-share-buttons/developers

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.5

Share on: