Vulnerability Details : CVE-2019-19134
The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based tokens or to launch other attacks.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-19134
- cpe:2.3:a:heroplugins:hero_maps_premium:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19134
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19134
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-19134
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19134
-
https://heroplugins.com/changelogs/hmaps/changelog.txt
Release Notes;Vendor Advisory
-
https://www.hooperlabs.xyz/disclosures/cve-2019-19134.php
Hooper Labs - Adversarial Techniques and ResearchExploit;Third Party Advisory
-
https://heroplugins.com/product/maps/
Hero Maps Premium | HeroPluginsProduct
-
https://wpvulndb.com/vulnerabilities/10095
Hero Maps Premium < 2.2.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)Third Party Advisory
Jump to