Vulnerability Details : CVE-2013-5977
Cross-site request forgery (CSRF) vulnerability in Cart66Product.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allows remote attackers to hijack the authentication of administrators for requests that (1) create or modify products or conduct cross-site scripting (XSS) attacks via the (2) Product name or (3) Price description field in a product save action via a request to wp-admin/admin.php.
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)
Products affected by CVE-2013-5977
- cpe:2.3:a:cart66:cart66_lite_plugin:*:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.5.1.8:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.4.8:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.4.7:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.1.5:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.1.4:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.5.0:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.4.9:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.3.0:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.1.6:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.0.8:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.0.7:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.5.1:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.5.0.2:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.5.0.1:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.4.1:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.4.0:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.1.1:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.1:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.5.1.2:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.5.1.1:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.4.4:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.4.2:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.1.3:-:*:*:*:wordpress:*:*
- cpe:2.3:a:cart66:cart66_lite_plugin:1.1.2:-:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-5977
1.59%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-5977
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2013-5977
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-5977
-
http://packetstormsecurity.com/files/123587/WordPress-Cart66-1.5.1.14-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
WordPress Cart66 1.5.1.14 Cross Site Request Forgery / Cross Site Scripting ≈ Packet StormExploit
-
http://www.exploit-db.com/exploits/28959
WordPress Plugin Cart66 1.5.1.14 - Multiple Vulnerabilities - PHP webapps ExploitExploit
-
http://seclists.org/bugtraq/2013/Oct/52
Bugtraq: Wordpress Cart66 Plugin 1.5.1.14 Multiple VulnerabilitiesExploit
-
http://blog.noobroot.com/#!/2013/10/0-day-wordpress-cart66-plugin-15114.html
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/87874
Cart66 Lite plugin for WordPress admin.php cross-site request forgery CVE-2013-5977 Vulnerability Report
-
http://archives.neohapsis.com/archives/bugtraq/2013-10/0048.html
Exploit
-
http://www.securityfocus.com/bid/62975
WordPress Cart66 Lite Plugin CVE-2013-5977 Cross Site Request Forgery Vulnerability
-
http://wordpress.org/plugins/cart66-lite/changelog/
Cart66 Lite :: WordPress Ecommerce – WordPress plugin | WordPress.org
Jump to