Vulnerability Details : CVE-2020-13643
Potential exploit
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2020-13643
- cpe:2.3:a:siteorigin:page_builder:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-13643
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-13643
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
MITRE | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2020-13643
-
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13643
-
https://wordpress.org/plugins/siteorigin-panels/#developers
Page Builder by SiteOrigin – WordPress plugin | WordPress.orgRelease Notes;Third Party Advisory
-
https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-builder-by-siteorigin-affects-over-1-million-sites/
Vulnerabilities Patched in Page Builder by SiteOrigin Affects Over 1 Million SitesExploit;Third Party Advisory
Jump to