CVE-2019-20360 Information
Feb 14, 2021
cve
Description
A flaw in Give before 2.5.5 a WordPress plugin allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information (PII) including names addresses IP addresses and email addresses. Once an API key has been set to any meta key value from the wp_usermeta table and the token is set to the corresponding MD5 hash of the meta key selected one can make a request to the restricted endpoints and thus access sensitive donor data.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Reference
https://wpvulndb.com/vulnerabilities/9889 https://www.wordfence.com/blog/2019/09/authentication-bypass-vulnerability-in-givewp-plugin/
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
7.5
Share on: