Vulnerability Details : CVE-2019-19133
Potential exploit
The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a csshero_action=edit_page request because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary JavaScript in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookies or launch other attacks.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-19133
- cpe:2.3:a:csshero:csshero:4.0.3:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19133
2.92%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19133
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-19133
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19133
-
http://packetstormsecurity.com/files/155558/WordPress-CSS-Hero-4.0.3-Cross-Site-Scripting.html
WordPress CSS Hero 4.0.3 Cross Site Scripting ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2019/Dec/6
Full Disclosure: Reflected XSS in CSS Hero (v.4.0.3)Exploit;Mailing List;Third Party Advisory
-
https://wpvulndb.com/vulnerabilities/9966
CSS Hero <= 4.03 - Authenticated Reflected XSSThird Party Advisory
Jump to