Vulnerability Details : CVE-2014-5196
Cross-site request forgery (CSRF) vulnerability in improved-user-search-in-backend.php in the backend in the Improved user search in backend plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that insert XSS sequences via the iusib_meta_fields parameter.
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)
Products affected by CVE-2014-5196
- Improved User Search In Backend Project » Improved User Search In Backend » For WordpressVersions up to, including, (<=) 1.2.4cpe:2.3:a:improved_user_search_in_backend_project:improved_user_search_in_backend:*:-:-:*:-:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5196
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-5196
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-5196
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5196
-
http://wordpress.org/plugins/improved-user-search-in-backend/changelog
Improved user search in backend – WordPress plugin | WordPress.orgPatch;Vendor Advisory
-
https://security.dxw.com/advisories/csrf-and-xss-in-improved-user-search-allow-execution-of-arbitrary-javascript-in-wordpress-admin-area/
CSRF and XSS in Improved user search allow execution of arbitrary javascript in WordPress admin area – dxw advisoriesExploit
Jump to