Vulnerability Details : CVE-2017-6955
An issue was discovered in by-email/by-email.php in the Invite Anyone plugin before 1.3.15 for WordPress. A user is able to change the subject and the body of the invitation mail that should be immutable, which facilitates a social engineering attack.
Vulnerability category: Input validation
Products affected by CVE-2017-6955
- cpe:2.3:a:teleogistic:invite_anyone:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-6955
0.88%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-6955
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2017-6955
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-6955
-
https://wordpress.org/plugins/invite-anyone/changelog/
Invite Anyone – WordPress plugin | WordPress.orgRelease Notes;Third Party Advisory
-
http://www.securityfocus.com/bid/96965
Wordpress Anyone Plugin 'by-email.php' Session Management Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://github.com/boonebgorges/invite-anyone/compare/2ed5266ad3ae40f8db39adf06f450bbad56e2eac...boonebgorges:6121de08df86c5005b657dd67e48aa02c7982855
Comparing 2ed5266ad3ae40f8db39adf06f450bbad56e2eac...6121de08df86c5005b657dd67e48aa02c7982855 · boonebgorges/invite-anyone · GitHubThird Party Advisory
Jump to