CVE-2013-6797
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
Cross-site request forgery (CSRF) vulnerability in bluewrench-video-widget.php in the Blue Wrench Video Widget plugin before 2.0.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that embed arbitrary URLs via the bw_url parameter in the bw-videos page to wp-admin/admin.php, as demonstrated by embedding a URL to a JavaScript file.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://wordpress.org/plugins/blue-wrench-videos-widget/changelog
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| sunil_nanda | blue_wrench_video_widget | {"endIncluding":"1.0.5"} | |
| sunil_nanda | blue_wrench_video_widget | 1.0.0 | |
| sunil_nanda | blue_wrench_video_widget | 1.0.1 | |
| sunil_nanda | blue_wrench_video_widget | 1.0.2 | |
| sunil_nanda | blue_wrench_video_widget | 1.0.3 | |
| sunil_nanda | blue_wrench_video_widget | 1.0.4 | |
References
- http://osvdb.org/98922
- http://osvdb.org/98923
- http://securityundefined.com/wordpress-plugin-blue-wrench-video-widget-csrf-persistent-xss-0day-disclosure/
- http://wordpress.org/plugins/blue-wrench-videos-widget/changelog
- http://osvdb.org/98922
- http://osvdb.org/98923
- http://securityundefined.com/wordpress-plugin-blue-wrench-video-widget-csrf-persistent-xss-0day-disclosure/
- http://wordpress.org/plugins/blue-wrench-videos-widget/changelog
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.