CVE-2015-1614

Posted On // Leave a Comment

Overview

Multiple cross-site request forgery (CSRF) vulnerabilities in the Image Metadata Cruncher plugin for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) image_metadata_cruncher[alt] or (2) image_metadata_cruncher[caption] parameter in an update action in the image_metadata_cruncher_title page to wp-admin/options.php or (3) custom image meta tag to the image metadata cruncher page.

Impact raise from Low TO Medium


Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service


External Sources 

External Source: XF
Name: image-metadata-wordpress-xss(100926)
External Source: MISC
Name: http://packetstormsecurity.com/files/130404/WordPress-Image-Metadata-Cruncher-Cross-Site-Scripting.html
External Source: BUGTRAQ
Name: 20150217 CVE-2015-1614 csrf/xss in in wordpress Plugin Image Metadata cruncher
External Source: BUGTRAQ
Name: 20150215 Multiple Cross site scripting in wordpress Plugin Image Metadata cruncher

POC 

     



CVE-ID Links :- 

  • MITRE :- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1614
  • NVD    :- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1614
  • CVEDe:- http://www.cvedetails.com/cve/CVE-2015-1614/