Posted On // Leave a Comment


Multiple cross-site request forgery (CSRF) vulnerabilities in the Image Metadata Cruncher plugin for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) image_metadata_cruncher[alt] or (2) image_metadata_cruncher[caption] parameter in an update action in the image_metadata_cruncher_title page to wp-admin/options.php or (3) custom image meta tag to the image metadata cruncher page.

Impact raise from Low TO Medium


CVSS Severity (version 2.0):
CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

External Sources 

External Source: XF
Name: image-metadata-wordpress-xss(100926)
External Source: MISC
External Source: BUGTRAQ
Name: 20150217 CVE-2015-1614 csrf/xss in in wordpress Plugin Image Metadata cruncher
External Source: BUGTRAQ
Name: 20150215 Multiple Cross site scripting in wordpress Plugin Image Metadata cruncher



CVE-ID Links :- 

  • MITRE :-
  • NVD    :-
  • CVEDe:-


Post a Comment