CVE-2014-6243

Cross-site scripting (XSS) vulnerability in the EWWW Image Optimizer plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the error parameter in the ewww-image-optimizer.php page to wp-admin/options-general.php, which is not properly handled in a pngout error message.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://wordpress.org/plugins/ewww-image-optimizer/changelog	Patch
https://www.htbridge.com/advisory/HTB23234	Exploit
http://www.securityfocus.com/bid/70190
http://packetstormsecurity.com/files/128621/WordPress-EWWW-Image-Optimizer-2.0.1-Cross-Site-Scripting.html	Exploit
http://www.securityfocus.com/archive/1/533641/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ewww_image_optimizer_plugin_project:ewww_image_optimizer_plugin::::::wordpress::*
	cpe:2.3:a:ewww_image_optimizer_plugin_project:ewww_image_optimizer_plugin:2.0.0:::::wordpress::

Information

Published : 2014-10-10 07:55

Updated : 2018-10-09 12:50

NVD link : CVE-2014-6243

Mitre link : CVE-2014-6243

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

ewww_image_optimizer_plugin_project

ewww_image_optimizer_plugin

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://wordpress.org/plugins/ewww-image-optimizer/changelog", "name": "https://wordpress.org/plugins/ewww-image-optimizer/changelog", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "https://www.htbridge.com/advisory/HTB23234", "name": "https://www.htbridge.com/advisory/HTB23234", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/70190", "name": "70190", "tags": [], "refsource": "BID"}, {"url": "http://packetstormsecurity.com/files/128621/WordPress-EWWW-Image-Optimizer-2.0.1-Cross-Site-Scripting.html", "name": "http://packetstormsecurity.com/files/128621/WordPress-EWWW-Image-Optimizer-2.0.1-Cross-Site-Scripting.html", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/archive/1/533641/100/0/threaded", "name": "20141008 Reflected Cross-Site Scripting (XSS) in EWWW Image Optimizer WordPress Plugin", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the EWWW Image Optimizer plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the error parameter in the ewww-image-optimizer.php page to wp-admin/options-general.php, which is not properly handled in a pngout error message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-6243", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2014-10-10T14:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ewww_image_optimizer_plugin_project:ewww_image_optimizer_plugin:*:*:*:*:*:wordpress:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "2.01"}, {"cpe23Uri": "cpe:2.3:a:ewww_image_optimizer_plugin_project:ewww_image_optimizer_plugin:2.0.0:*:*:*:*:wordpress:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-09T19:50Z"}