CVE-2012-5387

Current Description

Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences.

Referenced by CVEs:CVE-2012-5388

Basic Data

PublishedOctober 24, 2012
Last ModifiedAugust 29, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-352
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • AND
    • OR - Configuration 1
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationVideousermanualsWhite-label-cms1.0.2*******
      2.3ApplicationVideousermanualsWhite-label-cms1.0.3*******
      2.3ApplicationVideousermanualsWhite-label-cms1.0.4*******
      2.3ApplicationVideousermanualsWhite-label-cms1.0.5*******
      2.3ApplicationVideousermanualsWhite-label-cms1.1*******
      2.3ApplicationVideousermanualsWhite-label-cms1.2*******
      2.3ApplicationVideousermanualsWhite-label-cms1.3*******
      2.3ApplicationVideousermanualsWhite-label-cms1.4*******
      2.3ApplicationVideousermanualsWhite-label-cms1.4.1*******
      2.3ApplicationVideousermanualsWhite-label-cms1.4.2*******
      2.3ApplicationVideousermanualsWhite-label-cms1.4.3*******
      2.3ApplicationVideousermanualsWhite-label-cms1.4.4*******
      2.3ApplicationVideousermanualsWhite-label-cms1.4.5*******
      2.3ApplicationVideousermanualsWhite-label-cms1.4.6*******
      2.3ApplicationVideousermanualsWhite-label-cms1.4.7*******
      2.3ApplicationVideousermanualsWhite-label-cms********1.5
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationWordpressWordpress-*******

Vulnerable Software List

VendorProductVersions
Videousermanuals White-label-cms *, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1, 1.2, 1.3, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7

References

NameSourceURLTags
86568http://osvdb.org/86568OSVDB
http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.htmlhttp://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-SitMISC
http://wordpress.org/extend/plugins/white-label-cms/changelog/http://wordpress.org/extend/plugins/white-label-cms/changelog/CONFIRMPatch
22156http://www.exploit-db.com/exploits/22156/EXPLOIT-DBExploit
56166http://www.securityfocus.com/bid/56166BID
wp-whitelabelcms-admin-csrf(79520)https://exchange.xforce.ibmcloud.com/vulnerabilities/79520XF