CVE-2014-8948 : Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012

Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote attackers to hijack the authentication of administrators for requests that with an unspecified impact via the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to execute arbitrary commands.

Published 2014-11-16 11:59:05

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2014-8948

Imember360 » Imember360 » Version: 3.9.001 For Wordpress
cpe:2.3:a:imember360:imember360:3.9.001:*:*:*:*:wordpress:*:*
Matching versions
Imember360 » Imember360 » Version: 3.9.000 For Wordpress
cpe:2.3:a:imember360:imember360:3.9.000:*:*:*:*:wordpress:*:*
Matching versions
Imember360 » Imember360 » Version: 3.8.013 For Wordpress
cpe:2.3:a:imember360:imember360:3.8.013:*:*:*:*:wordpress:*:*
Matching versions
Imember360 » Imember360 » Version: 3.8.014 For Wordpress
cpe:2.3:a:imember360:imember360:3.8.014:*:*:*:*:wordpress:*:*
Matching versions
Imember360 » Imember360 » Version: 3.8.012 For Wordpress
cpe:2.3:a:imember360:imember360:3.8.012:*:*:*:*:wordpress:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-8948

EPSS FAQ

0.96%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-8948

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2014-8948

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-8948

http://www.exploit-db.com/exploits/33076

WordPress Plugin iMember360 3.8.012 < 3.9.001 - Multiple Vulnerabilities - PHP webapps Exploit
Exploit

CVEs referencing this url
http://secunia.com/advisories/58094

Sign in

CVEs referencing this url
http://osvdb.org/show/osvdb/106301

CVEs referencing this url
http://packetstormsecurity.com/files/126324/WordPress-iMember360is-3.9.001-XSS-Disclosure-Code-Execution.html

WordPress iMember360is 3.9.001 XSS / Disclosure / Code Execution ≈ Packet Storm
Exploit

CVEs referencing this url
http://seclists.org/fulldisclosure/2014/Apr/265

Full Disclosure: Multiple Vulnerabilities in iMember360 (Wordpress plugin)
Exploit

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-8948

Products affected by CVE-2014-8948

Exploit prediction scoring system (EPSS) score for CVE-2014-8948

CVSS scores for CVE-2014-8948

CWE ids for CVE-2014-8948

References for CVE-2014-8948