CVE-2015-4065
low
CVSS v3
—
CVSS v2
3.5
VIR risk
3.5
Description
Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/post-new.php.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://wordpress.org/plugins/landing-pages/changelog/
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| landing_pages_project | landing_pages | {"endIncluding":"1.8.4"} | |
References
- http://packetstormsecurity.com/files/132037/WordPress-Landing-Pages-1.8.4-Cross-Site-Scripting-SQL-Injection.html
- http://www.securityfocus.com/bid/74777
- https://wordpress.org/plugins/landing-pages/changelog/
- https://www.exploit-db.com/exploits/37108/
- http://packetstormsecurity.com/files/132037/WordPress-Landing-Pages-1.8.4-Cross-Site-Scripting-SQL-Injection.html
- http://www.securityfocus.com/bid/74777
- https://wordpress.org/plugins/landing-pages/changelog/
- https://www.exploit-db.com/exploits/37108/
CWEs
CWE-79
Verify integrity in audit chain (admin only). AS-IS.